From c29d479b7f0b0a6912523538b3368a617dc77fba Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 2 Nov 2018 17:56:27 +0100 Subject: [PATCH] Consolidate nss-util, nss-softokn, and nss into a single package --- nss-skip-bltest-and-fipstest.patch | 15 - nss-skip-util-gtest.patch | 10 - nss-softokn-config.in | 116 +++++++ nss-softokn-dracut-module-setup.sh | 18 + nss-softokn-dracut.conf | 3 + nss-softokn-prelink.conf | 6 + nss-softokn.pc.in | 11 + nss-util-config.in | 118 +++++++ nss-util.pc.in | 11 + nss.spec | 521 +++++++++++++++++++---------- 10 files changed, 635 insertions(+), 194 deletions(-) delete mode 100644 nss-skip-bltest-and-fipstest.patch delete mode 100644 nss-skip-util-gtest.patch create mode 100644 nss-softokn-config.in create mode 100644 nss-softokn-dracut-module-setup.sh create mode 100644 nss-softokn-dracut.conf create mode 100644 nss-softokn-prelink.conf create mode 100644 nss-softokn.pc.in create mode 100644 nss-util-config.in create mode 100644 nss-util.pc.in diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch deleted file mode 100644 index aee646c..0000000 --- a/nss-skip-bltest-and-fipstest.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile ---- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100 -+++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100 -@@ -19,7 +19,11 @@ BLTEST_SRCDIR = - ECPERF_SRCDIR = - FREEBL_ECTEST_SRCDIR = - FIPSTEST_SRCDIR = -+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) -+SHLIBSIGN_SRCDIR = shlibsign -+else - SHLIBSIGN_SRCDIR = -+endif - else - BLTEST_SRCDIR = bltest - ECPERF_SRCDIR = ecperf diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch deleted file mode 100644 index 94391c8..0000000 --- a/nss-skip-util-gtest.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn ---- nss/gtests/manifest.mn.skip_util_gtest 2017-08-08 12:45:57.598801125 +0200 -+++ nss/gtests/manifest.mn 2017-08-08 12:46:59.682419852 +0200 -@@ -31,6 +31,5 @@ endif - - DIRS = \ - $(LIB_SRCDIRS) \ -- $(UTIL_SRCDIRS) \ - $(NSS_SRCDIRS) \ - $(NULL) diff --git a/nss-softokn-config.in b/nss-softokn-config.in new file mode 100644 index 0000000..c7abe29 --- /dev/null +++ b/nss-softokn-config.in @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..010ec18 --- /dev/null +++ b/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/nss-softokn-prelink.conf b/nss-softokn-prelink.conf new file mode 100644 index 0000000..11d7fb0 --- /dev/null +++ b/nss-softokn-prelink.conf @@ -0,0 +1,6 @@ +-b /lib{,64}/libfreeblpriv3.so +-b /lib{,64}/libsoftokn3.so +-b /lib{,64}/libnssdbm3.so +-b /usr/lib{,64}/libfreeblpriv3.so +-b /usr/lib{,64}/libsoftokn3.so +-b /usr/lib{,64}/libnssdbm3.so diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/nss-util-config.in b/nss-util-config.in new file mode 100644 index 0000000..532abbe --- /dev/null +++ b/nss-util-config.in @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-util` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-util` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-util` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-util.pc.in b/nss-util.pc.in new file mode 100644 index 0000000..1310248 --- /dev/null +++ b/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %NSSUTIL_VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/nss.spec b/nss.spec index 3a4e248..ee9f9b9 100644 --- a/nss.spec +++ b/nss.spec @@ -1,9 +1,33 @@ %global nspr_version 4.20.0 -%global nss_util_version 3.39.0 -%global nss_softokn_version 3.39.0 %global nss_version 3.39.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" +%global saved_files_dir %{_libdir}/nss/saved +%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ +%global dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d + +%bcond_without tests + +# Produce .chk files for the final stripped binaries +# +# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links +# against the freebl that we just built. This is necessary +# because the signing algorithm changed on 3.14 to DSA2 with SHA256 +# whereas we previously signed with DSA and SHA1. We must Keep this line +# until all mock platforms have been updated. +# After %%{__os_install_post} we would add +# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \ +%{nil} # The upstream omits the trailing ".0", while we need it for # consistency with the pkg-config version: @@ -23,17 +47,15 @@ License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries Requires: nspr >= %{nspr_version} -Requires: nss-util >= %{nss_util_version} +Requires: nss-util >= %{nss_version} # TODO: revert to same version as nss once we are done with the merge -Requires: nss-softokn%{_isa} >= %{nss_softokn_version} +Requires: nss-softokn%{_isa} >= %{nss_version} Requires: nss-system-init Requires: p11-kit-trust Requires: crypto-policies BuildRequires: nspr-devel >= %{nspr_version} -# TODO: revert to same version as nss once we are done with the merge -# Using '>=' but on RHEL the requires should be '=' -BuildRequires: nss-softokn-devel >= %{nss_softokn_version} -BuildRequires: nss-util-devel >= %{nss_util_version} +# for shlibsign +BuildRequires: nss-softokn BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig @@ -43,15 +65,22 @@ BuildRequires: perl-interpreter BuildRequires: gcc-c++ Source0: %{name}-%{nss_archive_version}.tar.gz -Source1: nss.pc.in -Source2: nss-config.in -Source3: blank-cert8.db -Source4: blank-key3.db -Source5: blank-secmod.db -Source6: blank-cert9.db -Source7: blank-key4.db -Source8: system-pkcs11.txt -Source9: setup-nsssysinit.sh +Source1: nss-util.pc.in +Source2: nss-util-config.in +Source3: nss-softokn.pc.in +Source4: nss-softokn-config.in +Source5: nss-softokn-prelink.conf +Source6: nss-softokn-dracut-module-setup.sh +Source7: nss-softokn-dracut.conf +Source8: nss.pc.in +Source9: nss-config.in +Source10: blank-cert8.db +Source11: blank-key3.db +Source12: blank-secmod.db +Source13: blank-cert9.db +Source14: blank-key4.db +Source15: system-pkcs11.txt +Source16: setup-nsssysinit.sh Source20: nss-config.xml Source21: setup-nsssysinit.xml Source22: pkcs11.txt.xml @@ -64,13 +93,11 @@ Source28: nss-p11-kit.config Source29: PayPalICA.cert Source30: PayPalEE.cert -Patch3: renegotiate-transitional.patch +Patch1: renegotiate-transitional.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 -Patch16: nss-539183.patch +Patch2: nss-539183.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator -Patch47: utilwrap-include-templates.patch -# TODO remove when we switch to building nss without softoken -Patch49: nss-skip-bltest-and-fipstest.patch +Patch3: utilwrap-include-templates.patch # This patch uses the GCC -iquote option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to give the in-tree headers a higher priority over the system headers, @@ -82,12 +109,11 @@ Patch49: nss-skip-bltest-and-fipstest.patch # # Once the buildroot aha been bootstrapped the patch may be removed # but it doesn't hurt to keep it. -Patch50: iquote.patch +Patch4: iquote.patch # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers -Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch -Patch62: nss-skip-util-gtest.patch +Patch5: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317 -Patch63: nss-tests-paypal-certs-v2.patch +Patch6: nss-tests-paypal-certs-v2.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -146,65 +172,113 @@ Summary: Development libraries for PKCS #11 (Cryptoki) using NSS Group: Development/Libraries Provides: nss-pkcs11-devel-static = %{version}-%{release} Requires: nss-devel = %{version}-%{release} -# TODO: revert to using nss_softokn_version once we are done with -# the merge into to new rhel git repo -# For RHEL we should have '=' instead of '>=' -Requires: nss-softokn-freebl-devel >= %{nss_softokn_version} +Requires: nss-softokn-freebl-devel = %{version}-%{release} %description pkcs11-devel Library files for developing PKCS #11 modules using basic NSS low level services. +%package util +Summary: Network Security Services Utilities Library +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} + +%description util +Utilities for Network Security Services and the Softoken module + +%package util-devel +Summary: Development libraries for Network Security Services Utilities +Group: Development/Libraries +Requires: nss-util = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig + +%description util-devel +Header and library files for doing development with Network Security Services. + + +%package softokn +Summary: Network Security Services Softoken Module +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{version}-%{release} +Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} + +%description softokn +Network Security Services Softoken Cryptographic Module + +%package softokn-freebl +Summary: Freebl library for the Network Security Services +Group: System Environment/Base +# For PR_GetEnvSecure() from nspr >= 4.12 +Requires: nspr >= 4.12 +# For NSS_SecureMemcmpZero() from nss-util >= 3.33 +Requires: nss-util >= 3.33 +Conflicts: nss < 3.12.2.99.3-5 +Conflicts: prelink < 0.4.3 +Conflicts: filesystem < 3 + +%description softokn-freebl +NSS Softoken Cryptographic Module Freebl Library + +Install the nss-softokn-freebl package if you need the freebl library. + +%package softokn-freebl-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Group: System Environment/Base +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description softokn-freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package softokn-devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{version}-%{release} +Requires: pkgconfig +BuildRequires: nspr-devel >= %{nspr_version} + +%description softokn-devel +Header and library files for doing development with Network Security Services. + + %prep %setup -q -n %{name}-%{nss_archive_version} -%patch3 -p0 -b .transitional -%patch16 -p0 -b .539183 -%patch47 -p0 -b .templates -%patch49 -p0 -b .skipthem -%patch50 -p0 -b .iquote -%patch58 -p0 -b .1185708_3des +%patch1 -p0 -b .transitional +%patch2 -p0 -b .539183 +%patch3 -p0 -b .templates +%patch4 -p0 -b .iquote +%patch5 -p0 -b .1185708_3des pushd nss -%patch62 -p1 -b .skip_util_gtest -%patch63 -p1 -b .paypal-certs +%patch6 -p1 -b .paypal-certs cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs popd -######################################################### -# Higher-level libraries and test tools need access to -# module-private headers from util, freebl, and softoken -# until fixed upstream we must copy some headers locally -######################################################### - -# Copying these headers until the upstream bug is accepted -# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 -%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf -%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf - -# Before removing util directory we must save verref.h -# as it will be needed later during the build phase. -%{__mv} ./nss/lib/util/verref.h ./nss/verref.h - -##### Remove util/freebl/softoken and low level tools -######## Remove freebl, softoken and util -%{__rm} -rf ./nss/lib/freebl -%{__rm} -rf ./nss/lib/softoken -%{__rm} -rf ./nss/lib/util -######## Remove nss-softokn test tools as we already ran -# the cipher test suite as part of the nss-softokn build -%{__rm} -rf ./nss/cmd/bltest -%{__rm} -rf ./nss/cmd/fipstest -%{__rm} -rf ./nss/cmd/rsaperf_low - %build -FREEBL_NO_DEPEND=1 -export FREEBL_NO_DEPEND +export FREEBL_NO_DEPEND=1 -NSS_FORCE_FIPS=1 -export NSS_FORCE_FIPS +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +export FREEBL_LOWHASH=1 + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +export NSS_FORCE_FIPS=1 # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 @@ -214,65 +288,29 @@ export BUILD_OPT=1 #export RPM_OPT_FLAGS # Generate symbolic info for debuggers -XCFLAGS=$RPM_OPT_FLAGS -export XCFLAGS +export XCFLAGS=$RPM_OPT_FLAGS -LDFLAGS=$RPM_LD_FLAGS -export LDFLAGS +export LDFLAGS=$RPM_LD_FLAGS -DSO_LDOPTS=$RPM_LD_FLAGS -export DSO_LDOPTS +export DSO_LDOPTS=$RPM_LD_FLAGS -PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 -PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 -export PKG_CONFIG_ALLOW_SYSTEM_LIBS -export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS +export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +export NSPR_LIB_DIR=%{_libdir} -NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` -NSPR_LIB_DIR=%{_libdir} - -export NSPR_INCLUDE_DIR -export NSPR_LIB_DIR - -export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` -export NSSUTIL_LIB_DIR=%{_libdir} - -export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` -export FREEBL_LIB_DIR=%{_libdir} -export USE_SYSTEM_FREEBL=1 -# FIXME choose one or the other style and submit a patch upstream -# wtc has suggested using NSS_USE_SYSTEM_FREEBL -export NSS_USE_SYSTEM_FREEBL=1 - -export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn` - -export SOFTOKEN_LIB_DIR=%{_libdir} -# use the system ones -export USE_SYSTEM_NSSUTIL=1 -export USE_SYSTEM_SOFTOKEN=1 - -# tell the upstream build system what we are doing -export NSS_BUILD_WITHOUT_SOFTOKEN=1 - -NSS_USE_SYSTEM_SQLITE=1 -export NSS_USE_SYSTEM_SQLITE +export NSS_USE_SYSTEM_SQLITE=1 export NSS_ALLOW_SSLKEYLOGFILE=1 %ifnarch noarch %if 0%{__isa_bits} == 64 -USE_64=1 -export USE_64 +export USE_64=1 %endif %endif -# uncomment if the iquote patch is activated -export IN_TREE_FREEBL_HEADERS_FIRST=1 - ##### phase 2: build the rest of nss -export NSS_BLTEST_NOT_AVAILABLE=1 - %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm @@ -282,14 +320,7 @@ export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" -# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c -# need nss/lib/util/verref.h which is exported privately, -# copy the one we saved during prep so it they can find it. -%{__mkdir_p} ./dist/private/nss -%{__mv} ./nss/verref.h ./dist/private/nss/verref.h - %{__make} -C ./nss -unset NSS_BLTEST_NOT_AVAILABLE # build the man pages clean pushd ./nss @@ -300,30 +331,71 @@ popd %{__mkdir_p} ./dist/docs/nroff %{__cp} ./nss/doc/nroff/* ./dist/docs/nroff -# Set up our package file -# The nspr_version and nss_{util|softokn}_version globals used -# here match the ones nss has for its Requires. -# Using the current %%{nss_softokn_version} for fedora again +# Set up our package files %{__mkdir_p} ./dist/pkgconfig + %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-util.pc + +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` + +%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \ + > ./dist/pkgconfig/nss-util-config + +chmod 755 ./dist/pkgconfig/nss-util-config + +%{__cat} %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +%{__cat} %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./dist/pkgconfig/nss-softokn-config + +chmod 755 ./dist/pkgconfig/nss-softokn-config + +%{__cat} %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss3,g" \ -e "s,%%NSS_VERSION%%,%{version},g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ - -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ - -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \ ./dist/pkgconfig/nss.pc NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` -export NSS_VMAJOR -export NSS_VMINOR -export NSS_VPATCH - -%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ +%{__cat} %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ @@ -334,7 +406,7 @@ export NSS_VPATCH chmod 755 ./dist/pkgconfig/nss-config -%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh +%{__cat} %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh %{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ @@ -360,30 +432,19 @@ done %check -if [ ${DISABLETEST:-0} -eq 1 ]; then - echo "testing disabled" - exit 0 -fi - +%if %{with tests} # Begin -- copied from the build section -FREEBL_NO_DEPEND=1 -export FREEBL_NO_DEPEND +export FREEBL_NO_DEPEND=1 export BUILD_OPT=1 %ifnarch noarch %if 0%{__isa_bits} == 64 -USE_64=1 -export USE_64 +export USE_64=1 %endif %endif -export NSS_BLTEST_NOT_AVAILABLE=1 - -# needed for the fips mangling test -export SOFTOKEN_LIB_DIR=%{_libdir} - # End -- copied from the build section # This is necessary because the test suite tests algorithms that are @@ -442,13 +503,7 @@ pushd ./nss/tests/ # % define nss_ssl_tests "normal_fips" # % define nss_ssl_run "cov" -SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` - -if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then - HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh -else - echo "skipped test suite" -fi +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh popd @@ -459,12 +514,7 @@ popd # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : -if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then - TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? -else - TEST_FAILURES=0 - GREP_EXIT_STATUS=1 -fi +TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" @@ -486,6 +536,7 @@ else fi fi echo "test suite completed" +%endif %install @@ -499,6 +550,10 @@ echo "test suite completed" %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_modules_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_conf_dir} %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d %if %{defined rhel} # not needed for rhel and its derivatives only fedora @@ -507,11 +562,15 @@ echo "test suite completed" %{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools %endif +%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__install} -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +%{__install} -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf + mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 # Copy the binary libraries we want -for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so +for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so do %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done @@ -519,13 +578,13 @@ done # Install the empty NSS db files # Legacy db %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb -%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db -%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db -%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +%{__install} -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +%{__install} -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +%{__install} -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Shared db -%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db -%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db -%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt +%{__install} -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +%{__install} -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +%{__install} -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a @@ -540,7 +599,7 @@ do done # Copy the binaries we ship as unsupported -for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain +for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done @@ -551,13 +610,29 @@ do %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 done +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the static freebl library +for file in libfreebl.a +do +%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + # Copy the template files we want -for file in dist/private/nss/nssck.api +for file in dist/private/nss/templates.c dist/private/nss/nssck.api do %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates done # Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config +%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config %{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config # Copy the pkcs #11 configuration script @@ -732,7 +807,6 @@ update-crypto-policies %{_includedir}/nss3/sslproto.h %{_includedir}/nss3/sslt.h - %files pkcs11-devel %{_includedir}/nss3/nssbase.h %{_includedir}/nss3/nssbaset.h @@ -748,9 +822,118 @@ update-crypto-policies %{_libdir}/libnssb.a %{_libdir}/libnssckfw.a +%files util +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnssutil3.so + +%files util-devel +# package configuration files +%{_libdir}/pkgconfig/nss-util.pc +%{_bindir}/nss-util-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# these are marked as public export in nss/lib/util/manifest.mk +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h +%{_includedir}/nss3/pkcs1sig.h +%{_includedir}/nss3/pkcs11.h +%{_includedir}/nss3/pkcs11f.h +%{_includedir}/nss3/pkcs11n.h +%{_includedir}/nss3/pkcs11p.h +%{_includedir}/nss3/pkcs11t.h +%{_includedir}/nss3/pkcs11u.h +%{_includedir}/nss3/pkcs11uri.h +%{_includedir}/nss3/portreg.h +%{_includedir}/nss3/secasn1.h +%{_includedir}/nss3/secasn1t.h +%{_includedir}/nss3/seccomon.h +%{_includedir}/nss3/secder.h +%{_includedir}/nss3/secdert.h +%{_includedir}/nss3/secdig.h +%{_includedir}/nss3/secdigt.h +%{_includedir}/nss3/secerr.h +%{_includedir}/nss3/secitem.h +%{_includedir}/nss3/secoid.h +%{_includedir}/nss3/secoidt.h +%{_includedir}/nss3/secport.h +%{_includedir}/nss3/utilmodt.h +%{_includedir}/nss3/utilpars.h +%{_includedir}/nss3/utilparst.h +%{_includedir}/nss3/utilrename.h +%{_includedir}/nss3/templates/templates.c + +%files softokn +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/ecperf +%{unsupported_tools_directory}/fbectest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign + +%files softokn-freebl +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +#shared +%dir %{prelink_conf_dir} +%{prelink_conf_dir}/nss-softokn-prelink.conf +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf + +%files softokn-freebl-devel +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h + +%files softokn-devel +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# nss/lib/freebl/manifest.mn and +# nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + %changelog * Wed Nov 14 2018 Daiki Ueno - 3.39.0-4 +- Consolidate nss-util, nss-softokn, and nss into a single package - Fix FTBFS with expired test certs * Thu Sep 13 2018 Daiki Ueno - 3.39.0-3