rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Consolidate nss-util, nss-softokn, and nss into a single package 

Also modernize spec file, as suggested by Robert-André Mauchin in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3JTN2YN3HM47UKSVTSANB4MO4UJDJPF5/
This commit is contained in:
Daiki Ueno 2018-11-27 14:32:07 +01:00
parent 4521183f36
commit 66df6d2135
13 changed files with 742 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
add-relro-linker-option.patch
View File

@ -1,16 +0,0 @@
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
@@ -174,6 +174,12 @@ endif
endif
endif
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS += -Wl,-z,relro
+endif
+
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

15
nss-skip-bltest-and-fipstest.patch
View File

@ -1,15 +0,0 @@
diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
--- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100
+++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100
@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
ECPERF_SRCDIR =
FREEBL_ECTEST_SRCDIR =
FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+SHLIBSIGN_SRCDIR = shlibsign
+else
SHLIBSIGN_SRCDIR =
+endif
else
BLTEST_SRCDIR = bltest
ECPERF_SRCDIR = ecperf

10
nss-skip-util-gtest.patch
View File

@ -1,10 +0,0 @@
diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
--- nss/gtests/manifest.mn.skip_util_gtest 2017-08-08 12:45:57.598801125 +0200
+++ nss/gtests/manifest.mn 2017-08-08 12:46:59.682419852 +0200
@@ -31,6 +31,5 @@ endif
DIRS = \
$(LIB_SRCDIRS) \
- $(UTIL_SRCDIRS) \
$(NSS_SRCDIRS) \
$(NULL)

116
nss-softokn-config.in Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

18
nss-softokn-dracut-module-setup.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

6
nss-softokn-prelink.conf Normal file
View File

@ -0,0 +1,6 @@
-b /lib{,64}/libfreeblpriv3.so
-b /lib{,64}/libsoftokn3.so
-b /lib{,64}/libnssdbm3.so
-b /usr/lib{,64}/libfreeblpriv3.so
-b /usr/lib{,64}/libsoftokn3.so
-b /usr/lib{,64}/libnssdbm3.so

11
nss-softokn.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

29
nss-tests-paypal-certs-v2.patch Normal file
View File

@ -0,0 +1,29 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1541595734 -3600
# Wed Nov 07 14:02:14 2018 +0100
# Node ID 19fd907784e38a5febb54588353368af91b12551
# Parent 3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8
Bug 1505317, update PayPal test certs
diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
--- a/tests/chains/scenarios/realcerts.cfg
+++ b/tests/chains/scenarios/realcerts.cfg
@@ -21,7 +21,7 @@ verify TestUser51:x
result pass
verify PayPalEE:x
- policy OID.2.16.840.1.114412.1.1
+ policy OID.2.16.840.1.114412.2.1
result pass
verify BrAirWaysBadSig:x
diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
--- a/tests/libpkix/vfychain_test.lst
+++ b/tests/libpkix/vfychain_test.lst
@@ -1,4 +1,4 @@
# Status | Leaf Cert | Policies | Others(undef)
0 TestUser50 undef
0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
+0 PayPalEE OID.2.16.840.1.114412.2.1

118
nss-util-config.in Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

671
nss.spec
View File

@ -1,9 +1,46 @@
%global nspr_version 4.20.0 %global nspr_version 4.20.0
%global nss_util_version 3.39.0
%global nss_softokn_version 3.39.0
%global nss_version 3.39.0 %global nss_version 3.39.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
%global saved_files_dir %{_libdir}/nss/saved
%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
%global dracutlibdir %{_prefix}/lib/dracut
%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
%bcond_without tests
# Produce .chk files for the final stripped binaries
#
# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
# against the freebl that we just built. This is necessary
# because the signing algorithm changed on 3.14 to DSA2 with SHA256
# whereas we previously signed with DSA and SHA1. We must Keep this line
# until all mock platforms have been updated.
# After %%{__os_install_post} we would add
# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
%{nil}
# The upstream omits the trailing ".0", while we need it for
# consistency with the pkg-config version:
# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
%{lua:
rpm.define(string.format("nss_archive_version %s",
string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
}
%{lua:
rpm.define(string.format("nss_release_tag NSS_%s_RTM",
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
}
# The upstream omits the trailing ".0", while we need it for # The upstream omits the trailing ".0", while we need it for
# consistency with the pkg-config version: # consistency with the pkg-config version:
@ -18,21 +55,19 @@ Name: nss
Version: %{nss_version} Version: %{nss_version}
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 1.0%{?dist} Release: 1.1%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version} Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_util_version} Requires: nss-util >= %{nss_version}
# TODO: revert to same version as nss once we are done with the merge # TODO: revert to same version as nss once we are done with the merge
Requires: nss-softokn%{_isa} >= %{nss_softokn_version} Requires: nss-softokn%{_isa} >= %{nss_version}
Requires: nss-system-init Requires: nss-system-init
Requires: p11-kit-trust Requires: p11-kit-trust
Requires: crypto-policies
BuildRequires: nspr-devel >= %{nspr_version} BuildRequires: nspr-devel >= %{nspr_version}
# TODO: revert to same version as nss once we are done with the merge # for shlibsign
# Using '>=' but on RHEL the requires should be '=' BuildRequires: nss-softokn
BuildRequires: nss-softokn-devel >= %{nss_softokn_version}
BuildRequires: nss-util-devel >= %{nss_util_version}
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -41,29 +76,23 @@ BuildRequires: psmisc
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: gcc-c++ BuildRequires: gcc-c++
# NSS 3.28.1 introduced a curve, that is smaller than a check in old Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
# Mozilla code allows. Source1: nss-util.pc.in
# https://bugzilla.redhat.com/show_bug.cgi?id=1413182 Source2: nss-util-config.in
Conflicts: firefox < 50.1.0-3 Source3: nss-softokn.pc.in
# https://bugzilla.redhat.com/show_bug.cgi?id=1414983 Source4: nss-softokn-config.in
Conflicts: xulrunner < 44.0-9 Source5: nss-softokn-prelink.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1414929 Source6: nss-softokn-dracut-module-setup.sh
Conflicts: thunderbird < 45.6.0-5 Source7: nss-softokn-dracut.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1414982 Source8: nss.pc.in
Conflicts: seamonkey < 2.46-2 Source9: nss-config.in
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987 Source10: blank-cert8.db
# Conflicts: icecat < 45.5.1-5 Source11: blank-key3.db
Source12: blank-secmod.db
Source0: %{name}-%{nss_archive_version}.tar.gz Source13: blank-cert9.db
Source1: nss.pc.in Source14: blank-key4.db
Source2: nss-config.in Source15: system-pkcs11.txt
Source3: blank-cert8.db Source16: setup-nsssysinit.sh
Source4: blank-key3.db
Source5: blank-secmod.db
Source6: blank-cert9.db
Source7: blank-key4.db
Source8: system-pkcs11.txt
Source9: setup-nsssysinit.sh
Source20: nss-config.xml Source20: nss-config.xml
Source21: setup-nsssysinit.xml Source21: setup-nsssysinit.xml
Source22: pkcs11.txt.xml Source22: pkcs11.txt.xml
@ -72,15 +101,15 @@ Source24: cert9.db.xml
Source25: key3.db.xml Source25: key3.db.xml
Source26: key4.db.xml Source26: key4.db.xml
Source27: secmod.db.xml Source27: secmod.db.xml
Source28: nss-p11-kit.config
Source29: PayPalICA.cert
Source30: PayPalEE.cert
Patch2: add-relro-linker-option.patch Patch1: renegotiate-transitional.patch
Patch3: renegotiate-transitional.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
Patch16: nss-539183.patch Patch2: nss-539183.patch
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
Patch47: utilwrap-include-templates.patch Patch3: utilwrap-include-templates.patch
# TODO remove when we switch to building nss without softoken
Patch49: nss-skip-bltest-and-fipstest.patch
# This patch uses the GCC -iquote option documented at # This patch uses the GCC -iquote option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to give the in-tree headers a higher priority over the system headers, # to give the in-tree headers a higher priority over the system headers,
@ -92,10 +121,11 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# #
# Once the buildroot aha been bootstrapped the patch may be removed # Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it. # but it doesn't hurt to keep it.
Patch50: iquote.patch Patch4: iquote.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch5: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
Patch62: nss-skip-util-gtest.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317
Patch6: nss-tests-paypal-certs-v2.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -106,7 +136,6 @@ v3 certificates, and other security standards.
%package tools %package tools
Summary: Tools for the Network Security Services Summary: Tools for the Network Security Services
Group: System Environment/Base
Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}%{?_isa} = %{version}-%{release}
%description tools %description tools
@ -121,7 +150,6 @@ manipulate the NSS certificate and key database.
%package sysinit %package sysinit
Summary: System NSS Initialization Summary: System NSS Initialization
Group: System Environment/Base
# providing nss-system-init without version so that it can # providing nss-system-init without version so that it can
# be replaced by a better one, e.g. supplied by the os vendor # be replaced by a better one, e.g. supplied by the os vendor
Provides: nss-system-init Provides: nss-system-init
@ -136,9 +164,8 @@ any system or user configured modules.
%package devel %package devel
Summary: Development libraries for Network Security Services Summary: Development libraries for Network Security Services
Group: Development/Libraries
Provides: nss-static = %{version}-%{release} Provides: nss-static = %{version}-%{release}
Requires: nss = %{version}-%{release} Requires: nss%{?_isa} = %{version}-%{release}
Requires: nss-util-devel Requires: nss-util-devel
Requires: nss-softokn-devel Requires: nss-softokn-devel
Requires: nspr-devel >= %{nspr_version} Requires: nspr-devel >= %{nspr_version}
@ -151,67 +178,109 @@ Header and Library files for doing development with Network Security Services.
%package pkcs11-devel %package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Group: Development/Libraries
Provides: nss-pkcs11-devel-static = %{version}-%{release} Provides: nss-pkcs11-devel-static = %{version}-%{release}
Requires: nss-devel = %{version}-%{release} Requires: nss-devel = %{version}-%{release}
# TODO: revert to using nss_softokn_version once we are done with Requires: nss-softokn-freebl-devel = %{version}-%{release}
# the merge into to new rhel git repo
# For RHEL we should have '=' instead of '>='
Requires: nss-softokn-freebl-devel >= %{nss_softokn_version}
%description pkcs11-devel %description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS Library files for developing PKCS #11 modules using basic NSS
low level services. low level services.
%package util
Summary: Network Security Services Utilities Library
Requires: nspr >= %{nspr_version}
%description util
Utilities for Network Security Services and the Softoken module
%package util-devel
Summary: Development libraries for Network Security Services Utilities
Requires: nss-util%{?_isa} = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig
%description util-devel
Header and library files for doing development with Network Security Services.
%package softokn
Summary: Network Security Services Softoken Module
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{version}-%{release}
Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
%description softokn
Network Security Services Softoken Cryptographic Module
%package softokn-freebl
Summary: Freebl library for the Network Security Services
# For PR_GetEnvSecure() from nspr >= 4.12
Requires: nspr >= 4.12
# For NSS_SecureMemcmpZero() from nss-util >= 3.33
Requires: nss-util >= 3.33
Conflicts: nss < 3.12.2.99.3-5
Conflicts: prelink < 0.4.3
Conflicts: filesystem < 3
%description softokn-freebl
NSS Softoken Cryptographic Module Freebl Library
Install the nss-softokn-freebl package if you need the freebl library.
%package softokn-freebl-devel
Summary: Header and Library files for doing development with the Freebl library for NSS
Provides: nss-softokn-freebl-static = %{version}-%{release}
Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release}
%description softokn-freebl-devel
NSS Softoken Cryptographic Module Freebl Library Development Tools
This package supports special needs of some PKCS #11 module developers and
is otherwise considered private to NSS. As such, the programming interfaces
may change and the usual NSS binary compatibility commitments do not apply.
Developers should rely only on the officially supported NSS public API.
%package softokn-devel
Summary: Development libraries for Network Security Services
Requires: nss-softokn%{?_isa} = %{version}-%{release}
Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: nss-util-devel >= %{version}-%{release}
Requires: pkgconfig
BuildRequires: nspr-devel >= %{nspr_version}
%description softokn-devel
Header and library files for doing development with Network Security Services.
%prep %prep
%setup -q -n %{name}-%{nss_archive_version} %setup -q -n %{name}-%{nss_archive_version}
%patch2 -p0 -b .relro %patch1 -p0 -b .transitional
%patch3 -p0 -b .transitional %patch2 -p0 -b .539183
%patch16 -p0 -b .539183 %patch3 -p0 -b .templates
%patch47 -p0 -b .templates %patch4 -p0 -b .iquote
%patch49 -p0 -b .skipthem %patch5 -p0 -b .1185708_3des
%patch50 -p0 -b .iquote
%patch58 -p0 -b .1185708_3des
pushd nss pushd nss
%patch62 -p1 -b .skip_util_gtest %patch6 -p1 -b .paypal-certs
cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs
popd popd
#########################################################
# Higher-level libraries and test tools need access to
# module-private headers from util, freebl, and softoken
# until fixed upstream we must copy some headers locally
#########################################################
# Copying these headers until the upstream bug is accepted
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
# Before removing util directory we must save verref.h
# as it will be needed later during the build phase.
%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
##### Remove util/freebl/softoken and low level tools
######## Remove freebl, softoken and util
%{__rm} -rf ./nss/lib/freebl
%{__rm} -rf ./nss/lib/softoken
%{__rm} -rf ./nss/lib/util
######## Remove nss-softokn test tools as we already ran
# the cipher test suite as part of the nss-softokn build
%{__rm} -rf ./nss/cmd/bltest
%{__rm} -rf ./nss/cmd/fipstest
%{__rm} -rf ./nss/cmd/rsaperf_low
%build %build
FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
NSS_FORCE_FIPS=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
export NSS_FORCE_FIPS # copied to dist and the rpm install phase can find it
# This due of the upstream changes to fix
# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
export FREEBL_LOWHASH=1
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
export NSS_FORCE_FIPS=1
# Enable compiler optimizations and disable debugging code # Enable compiler optimizations and disable debugging code
export BUILD_OPT=1 export BUILD_OPT=1
@ -221,62 +290,31 @@ export BUILD_OPT=1
#export RPM_OPT_FLAGS #export RPM_OPT_FLAGS
# Generate symbolic info for debuggers # Generate symbolic info for debuggers
XCFLAGS=$RPM_OPT_FLAGS export XCFLAGS=$RPM_OPT_FLAGS
export XCFLAGS
LDFLAGS=$RPM_LD_FLAGS export LDFLAGS=$RPM_LD_FLAGS
export LDFLAGS
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 export DSO_LDOPTS=$RPM_LD_FLAGS
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
NSPR_LIB_DIR=%{_libdir} export NSPR_LIB_DIR=%{_libdir}
export NSPR_INCLUDE_DIR export NSS_USE_SYSTEM_SQLITE=1
export NSPR_LIB_DIR
export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` export NSS_ALLOW_SSLKEYLOGFILE=1
export NSSUTIL_LIB_DIR=%{_libdir}
export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'`
export FREEBL_LIB_DIR=%{_libdir}
export USE_SYSTEM_FREEBL=1
# FIXME choose one or the other style and submit a patch upstream
# wtc has suggested using NSS_USE_SYSTEM_FREEBL
export NSS_USE_SYSTEM_FREEBL=1
export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn`
export SOFTOKEN_LIB_DIR=%{_libdir}
# use the system ones
export USE_SYSTEM_NSSUTIL=1
export USE_SYSTEM_SOFTOKEN=1
# tell the upstream build system what we are doing
export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
%ifnarch noarch %ifnarch noarch
%if 0%{__isa_bits} == 64 %if 0%{__isa_bits} == 64
USE_64=1 export USE_64=1
export USE_64
%endif %endif
%endif %endif
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss ##### phase 2: build the rest of nss
export NSS_BLTEST_NOT_AVAILABLE=1 make -C ./nss/coreconf
make -C ./nss/lib/dbm
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
# Set the policy file location # Set the policy file location
# if set NSS will always check for the policy file and load if it exists # if set NSS will always check for the policy file and load if it exists
@ -284,48 +322,82 @@ export POLICY_FILE="nss.config"
# location of the policy file # location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends" export POLICY_PATH="/etc/crypto-policies/back-ends"
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c make -C ./nss
# need nss/lib/util/verref.h which is exported privately,
# copy the one we saved during prep so it they can find it.
%{__mkdir_p} ./dist/private/nss
%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
%{__make} -C ./nss
unset NSS_BLTEST_NOT_AVAILABLE
# build the man pages clean # build the man pages clean
pushd ./nss pushd ./nss
%{__make} clean_docs build_docs make clean_docs build_docs
popd popd
# and copy them to the dist directory for %%install to find them # and copy them to the dist directory for %%install to find them
%{__mkdir_p} ./dist/docs/nroff mkdir -p ./dist/docs/nroff
%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff cp ./nss/doc/nroff/* ./dist/docs/nroff
# Set up our package file # Set up our package files
# The nspr_version and nss_{util|softokn}_version globals used mkdir -p ./dist/pkgconfig
# here match the ones nss has for its Requires.
# Using the current %%{nss_softokn_version} for fedora again cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
%{__mkdir_p} ./dist/pkgconfig -e "s,%%prefix%%,%{_prefix},g" \
%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \
-e "s,%%includedir%%,%{_includedir}/nss3,g" \
-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
./dist/pkgconfig/nss-util.pc
NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \
-e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \
> ./dist/pkgconfig/nss-util-config
chmod 755 ./dist/pkgconfig/nss-util-config
cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
-e "s,%%prefix%%,%{_prefix},g" \
-e "s,%%exec_prefix%%,%{_prefix},g" \
-e "s,%%includedir%%,%{_includedir}/nss3,g" \
-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
-e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
./dist/pkgconfig/nss-softokn.pc
SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \
-e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \
> ./dist/pkgconfig/nss-softokn-config
chmod 755 ./dist/pkgconfig/nss-softokn-config
cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
-e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%prefix%%,%{_prefix},g" \
-e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \
-e "s,%%includedir%%,%{_includedir}/nss3,g" \ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
-e "s,%%NSS_VERSION%%,%{version},g" \ -e "s,%%NSS_VERSION%%,%{version},g" \
-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
-e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
./dist/pkgconfig/nss.pc ./dist/pkgconfig/nss.pc
NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
export NSS_VMAJOR cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
export NSS_VMINOR
export NSS_VPATCH
%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \ -e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \
@ -336,10 +408,10 @@ export NSS_VPATCH
chmod 755 ./dist/pkgconfig/nss-config chmod 755 ./dist/pkgconfig/nss-config
%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
date +"%e %B %Y" | tr -d '\n' > date.xml date +"%e %B %Y" | tr -d '\n' > date.xml
echo -n %{version} > version.xml echo -n %{version} > version.xml
@ -362,30 +434,19 @@ done
%check %check
if [ ${DISABLETEST:-0} -eq 1 ]; then %if %{with tests}
echo "testing disabled"
exit 0
fi
# Begin -- copied from the build section # Begin -- copied from the build section
FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
export BUILD_OPT=1 export BUILD_OPT=1
%ifnarch noarch %ifnarch noarch
%if 0%{__isa_bits} == 64 %if 0%{__isa_bits} == 64
USE_64=1 export USE_64=1
export USE_64
%endif %endif
%endif %endif
export NSS_BLTEST_NOT_AVAILABLE=1
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
# End -- copied from the build section # End -- copied from the build section
# This is necessary because the test suite tests algorithms that are # This is necessary because the test suite tests algorithms that are
@ -444,13 +505,7 @@ pushd ./nss/tests/
# % define nss_ssl_tests "normal_fips" # % define nss_ssl_tests "normal_fips"
# % define nss_ssl_run "cov" # % define nss_ssl_run "cov"
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
else
echo "skipped test suite"
fi
popd popd
@ -461,12 +516,7 @@ popd
# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || : killall $RANDSERV || :
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
else
TEST_FAILURES=0
GREP_EXIT_STATUS=1
fi
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures" echo "okay: test suite detected no failures"
@ -488,81 +538,105 @@ else
fi fi
fi fi
echo "test suite completed" echo "test suite completed"
%endif
%install %install
%{__rm} -rf $RPM_BUILD_ROOT
# There is no make install target so we'll do it ourselves. # There is no make install target so we'll do it ourselves.
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} mkdir -p $RPM_BUILD_ROOT/%{_bindir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} mkdir -p $RPM_BUILD_ROOT/%{_libdir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
mkdir -p $RPM_BUILD_ROOT/%{prelink_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%if %{defined rhel} %if %{defined rhel}
# not needed for rhel and its derivatives only fedora # not needed for rhel and its derivatives only fedora
%else %else
# because of the pp.1 conflict with perl-PAR-Packer # because of the pp.1 conflict with perl-PAR-Packer
%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
%endif %endif
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir}
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
# Copy the binary libraries we want # Copy the binary libraries we want
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
do do
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done done
# Install the empty NSS db files # Install the empty NSS db files
# Legacy db # Legacy db
%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
# Shared db # Shared db
%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
# Copy the development libraries we want # Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a for file in libcrmf.a libnssb.a libnssckfw.a
do do
%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done done
# Copy the binaries we want # Copy the binaries we want
for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
do do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
done done
# Copy the binaries we ship as unsupported # Copy the binaries we ship as unsupported
for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
do do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done done
# Copy the include files we want # Copy the include files we want
for file in dist/public/nss/*.h for file in dist/public/nss/*.h
do do
%{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# Copy some freebl include files we also want
for file in blapi.h alghmac.h
do
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# Copy the static freebl library
for file in libfreebl.a
do
install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done done
# Copy the template files we want # Copy the template files we want
for file in dist/private/nss/nssck.api for file in dist/private/nss/templates.c dist/private/nss/nssck.api
do do
%{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
done done
# Copy the package configuration files # Copy the package configuration files
%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
# Copy the pkcs #11 configuration script # Copy the pkcs #11 configuration script
%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
# install a symbolic link to it, without the ".sh" suffix, # install a symbolic link to it, without the ".sh" suffix,
# that matches the man page documentation # that matches the man page documentation
ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
@ -590,20 +664,22 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done done
# Copy the crypto-policies configuration file
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
# from previous versions of nss.spec # from previous versions of nss.spec
/usr/bin/setup-nsssysinit.sh on /usr/bin/setup-nsssysinit.sh on
%post %post
/sbin/ldconfig update-crypto-policies
%postun %postun
/sbin/ldconfig update-crypto-policies
%files %files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%license nss/COPYING %license nss/COPYING
%{_libdir}/libnss3.so %{_libdir}/libnss3.so
@ -616,23 +692,22 @@ done
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz %doc %{_mandir}/man5/cert8.db.5*
%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz %doc %{_mandir}/man5/key3.db.5*
%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz %doc %{_mandir}/man5/secmod.db.5*
%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz %doc %{_mandir}/man5/cert9.db.5*
%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz %doc %{_mandir}/man5/key4.db.5*
%doc %{_mandir}/man5/pkcs11.txt.5*
%files sysinit %files sysinit
%defattr(-,root,root)
%{_libdir}/libnsssysinit.so %{_libdir}/libnsssysinit.so
%{_bindir}/setup-nsssysinit.sh %{_bindir}/setup-nsssysinit.sh
# symbolic link to setup-nsssysinit.sh # symbolic link to setup-nsssysinit.sh
%{_bindir}/setup-nsssysinit %{_bindir}/setup-nsssysinit
%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz %doc %{_mandir}/man1/setup-nsssysinit.1*
%files tools %files tools
%defattr(-,root,root)
%{_bindir}/certutil %{_bindir}/certutil
%{_bindir}/cmsutil %{_bindir}/cmsutil
%{_bindir}/crlutil %{_bindir}/crlutil
@ -654,33 +729,32 @@ done
%{unsupported_tools_directory}/tstclnt %{unsupported_tools_directory}/tstclnt
%{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfyserv
%{unsupported_tools_directory}/vfychain %{unsupported_tools_directory}/vfychain
# instead of %%{_mandir}/man*/* let's list them explicitely # instead of %%{_mandir}/man*/* let's list them explicitly
# supported tools # supported tools
%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz %doc %{_mandir}/man1/certutil.1*
%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz %doc %{_mandir}/man1/cmsutil.1*
%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz %doc %{_mandir}/man1/crlutil.1*
%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz %doc %{_mandir}/man1/modutil.1*
%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz %doc %{_mandir}/man1/pk12util.1*
%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz %doc %{_mandir}/man1/signver.1*
# unsupported tools # unsupported tools
%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz %doc %{_mandir}/man1/derdump.1*
%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz %doc %{_mandir}/man1/signtool.1*
%if %{defined rhel} %if %{defined rhel}
%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz %doc %{_mandir}/man1/pp.1*
%else %else
%dir %{_datadir}/doc/nss-tools %dir %{_datadir}/doc/nss-tools
%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1 %doc %{_datadir}/doc/nss-tools/pp.1
%endif %endif
%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz %doc %{_mandir}/man1/ssltap.1*
%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz %doc %{_mandir}/man1/vfychain.1*
%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz %doc %{_mandir}/man1/vfyserv.1*
%files devel %files devel
%defattr(-,root,root)
%{_libdir}/libcrmf.a %{_libdir}/libcrmf.a
%{_libdir}/pkgconfig/nss.pc %{_libdir}/pkgconfig/nss.pc
%{_bindir}/nss-config %{_bindir}/nss-config
%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz %doc %{_mandir}/man1/nss-config.1*
%dir %{_includedir}/nss3 %dir %{_includedir}/nss3
%{_includedir}/nss3/cert.h %{_includedir}/nss3/cert.h
@ -731,9 +805,7 @@ done
%{_includedir}/nss3/sslproto.h %{_includedir}/nss3/sslproto.h
%{_includedir}/nss3/sslt.h %{_includedir}/nss3/sslt.h
%files pkcs11-devel %files pkcs11-devel
%defattr(-, root, root)
%{_includedir}/nss3/nssbase.h %{_includedir}/nss3/nssbase.h
%{_includedir}/nss3/nssbaset.h %{_includedir}/nss3/nssbaset.h
%{_includedir}/nss3/nssckepv.h %{_includedir}/nss3/nssckepv.h
@ -748,8 +820,121 @@ done
%{_libdir}/libnssb.a %{_libdir}/libnssb.a
%{_libdir}/libnssckfw.a %{_libdir}/libnssckfw.a
%files util
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libnssutil3.so
%files util-devel
# package configuration files
%{_libdir}/pkgconfig/nss-util.pc
%{_bindir}/nss-util-config
# co-owned with nss
%dir %{_includedir}/nss3
# these are marked as public export in nss/lib/util/manifest.mk
%{_includedir}/nss3/base64.h
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
%{_includedir}/nss3/pkcs1sig.h
%{_includedir}/nss3/pkcs11.h
%{_includedir}/nss3/pkcs11f.h
%{_includedir}/nss3/pkcs11n.h
%{_includedir}/nss3/pkcs11p.h
%{_includedir}/nss3/pkcs11t.h
%{_includedir}/nss3/pkcs11u.h
%{_includedir}/nss3/pkcs11uri.h
%{_includedir}/nss3/portreg.h
%{_includedir}/nss3/secasn1.h
%{_includedir}/nss3/secasn1t.h
%{_includedir}/nss3/seccomon.h
%{_includedir}/nss3/secder.h
%{_includedir}/nss3/secdert.h
%{_includedir}/nss3/secdig.h
%{_includedir}/nss3/secdigt.h
%{_includedir}/nss3/secerr.h
%{_includedir}/nss3/secitem.h
%{_includedir}/nss3/secoid.h
%{_includedir}/nss3/secoidt.h
%{_includedir}/nss3/secport.h
%{_includedir}/nss3/utilmodt.h
%{_includedir}/nss3/utilpars.h
%{_includedir}/nss3/utilparst.h
%{_includedir}/nss3/utilrename.h
%{_includedir}/nss3/templates/templates.c
%files softokn
%{_libdir}/libnssdbm3.so
%{_libdir}/libnssdbm3.chk
%{_libdir}/libsoftokn3.so
%{_libdir}/libsoftokn3.chk
# shared with nss-tools
%dir %{_libdir}/nss
%dir %{saved_files_dir}
%dir %{unsupported_tools_directory}
%{unsupported_tools_directory}/bltest
%{unsupported_tools_directory}/ecperf
%{unsupported_tools_directory}/fbectest
%{unsupported_tools_directory}/fipstest
%{unsupported_tools_directory}/shlibsign
%files softokn-freebl
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libfreebl3.so
%{_libdir}/libfreebl3.chk
%{_libdir}/libfreeblpriv3.so
%{_libdir}/libfreeblpriv3.chk
#shared
%dir %{prelink_conf_dir}
%{prelink_conf_dir}/nss-softokn-prelink.conf
%dir %{dracut_modules_dir}
%{dracut_modules_dir}/module-setup.sh
%{dracut_conf_dir}/50-nss-softokn.conf
%files softokn-freebl-devel
%{_libdir}/libfreebl.a
%{_includedir}/nss3/blapi.h
%{_includedir}/nss3/blapit.h
%{_includedir}/nss3/alghmac.h
%{_includedir}/nss3/lowkeyi.h
%{_includedir}/nss3/lowkeyti.h
%files softokn-devel
%{_libdir}/pkgconfig/nss-softokn.pc
%{_bindir}/nss-softokn-config
# co-owned with nss
%dir %{_includedir}/nss3
#
# The following headers are those exported public in
# nss/lib/freebl/manifest.mn and
# nss/lib/softoken/manifest.mn
#
# The following list is short because many headers, such as
# the pkcs #11 ones, have been provided by nss-util-devel
# which installed them before us.
#
%{_includedir}/nss3/ecl-exp.h
%{_includedir}/nss3/nsslowhash.h
%{_includedir}/nss3/shsign.h
%changelog %changelog
* Tue Nov 27 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.1
- Consolidate nss-util, nss-softokn, and nss into a single package
- Fix FTBFS with expired test certs
- Modernize spec file based on the suggestion from Robert-André Mauchin
* Mon Sep 3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0 * Mon Sep 3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
- Update to NSS 3.39 - Update to NSS 3.39
- Use the upstream tarball as it is (rhbz#1578106) - Use the upstream tarball as it is (rhbz#1578106)

2
sources
View File

@ -4,3 +4,5 @@ SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60b
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
SHA512 (PayPalEE.cert) = 602518b8476b40dd241879923a36a433f3220eb28a8c4f7d941131def6e3d00b01d92050ab498e2a08763b02c3c4709855de0ee23a0053d26f4fa9f9f33aaad3
SHA512 (PayPalICA.cert) = 013795ebb3f13a1cbd5d9d82eef2f439852e461200f12df9790d0b1d63863dc7755af378ea4758f4c8a3a619dfd2d0d43a59da77553caed57611815d6263946b