From d5b7e00105dca8c2ab826719e117a0125ef9d4e6 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Tue, 19 Jun 2007 00:01:44 +0000 Subject: [PATCH] - Better approach to ship freebl/softokn based on 3.11.5 - Remove link time dependency on softokn --- .cvsignore | 3 +- nss-decouple-softokn.patch | 317 +++++++++++++++++++ nss-disable-build-freebl-softoken.patch | 386 ++++++++++++++++++++++++ nss.spec | 91 +++++- sources | 3 +- 5 files changed, 788 insertions(+), 12 deletions(-) create mode 100644 nss-decouple-softokn.patch create mode 100644 nss-disable-build-freebl-softoken.patch diff --git a/.cvsignore b/.cvsignore index 0efdf23..45014b7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ -nss-3.11.7-fbst3115-stripped.tar.gz +nss-3.11.5-fbst-stripped.tar.gz +nss-3.11.7-no-fbst-with-ckbi-1.64.tar.gz diff --git a/nss-decouple-softokn.patch b/nss-decouple-softokn.patch new file mode 100644 index 0000000..ae0d535 --- /dev/null +++ b/nss-decouple-softokn.patch @@ -0,0 +1,317 @@ +? mozilla/security/nss/cmd/crmf-cgi/~Makefile +? mozilla/security/nss/lib/ckfw/builtins/qa.der +Index: mozilla/security/nss/lib/nss/config.mk +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/nss/config.mk,v +retrieving revision 1.26.2.1 +diff -u -p -r1.26.2.1 config.mk +--- mozilla/security/nss/lib/nss/config.mk 17 Nov 2006 01:33:15 -0000 1.26.2.1 ++++ mozilla/security/nss/lib/nss/config.mk 12 Jun 2007 01:29:35 -0000 +@@ -53,7 +53,6 @@ RESNAME = $(LIBRARY_NAME).rc + ifdef NS_USE_GCC + EXTRA_SHARED_LIBS += \ + -L$(DIST)/lib \ +- -lsoftokn3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ +@@ -61,7 +60,6 @@ EXTRA_SHARED_LIBS += \ + $(NULL) + else # ! NS_USE_GCC + EXTRA_SHARED_LIBS += \ +- $(DIST)/lib/softokn3.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ +@@ -74,7 +72,6 @@ else + # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. + EXTRA_SHARED_LIBS += \ + -L$(DIST)/lib \ +- -lsoftokn3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ +Index: mozilla/security/nss/lib/pk11wrap/manifest.mn +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/manifest.mn,v +retrieving revision 1.16.2.1 +diff -u -p -r1.16.2.1 manifest.mn +--- mozilla/security/nss/lib/pk11wrap/manifest.mn 2 Jun 2007 02:23:37 -0000 1.16.2.1 ++++ mozilla/security/nss/lib/pk11wrap/manifest.mn 12 Jun 2007 01:29:35 -0000 +@@ -82,6 +82,13 @@ REQUIRES = dbm + + LIBRARY_NAME = pk11wrap + ++LIBRARY_VERSION = 3 ++SOFTOKEN_LIBRARY_VERSION = 3 ++ ++DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" \ ++ -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" \ ++ -DSOFTOKEN_SHLIB_VERSION=\"$(SOFTOKEN_LIBRARY_VERSION)\" ++ + # only add module debugging in opt builds if DEBUG_PKCS11 is set + ifdef DEBUG_PKCS11 + DEFINES += -DDEBUG_MODULE -DFORCE_PR_LOG +Index: mozilla/security/nss/lib/pk11wrap/pk11load.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v +retrieving revision 1.17 +diff -u -p -r1.17 pk11load.c +--- mozilla/security/nss/lib/pk11wrap/pk11load.c 20 Sep 2005 20:56:07 -0000 1.17 ++++ mozilla/security/nss/lib/pk11wrap/pk11load.c 12 Jun 2007 01:29:35 -0000 +@@ -47,10 +47,6 @@ + #include "nssilock.h" + #include "secerr.h" + +-extern void FC_GetFunctionList(void); +-extern void NSC_GetFunctionList(void); +-extern void NSC_ModuleDBFunc(void); +- + #ifdef DEBUG + #define DEBUG_MODULE 1 + #endif +@@ -221,6 +217,196 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, + } + } + ++static const char* nss_name = ++ SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; ++static const char* softoken_default_name = ++ SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX; ++static PRCallOnceType loadSoftokenOnce; ++static PRLibrary* softokenLib; ++ ++#ifdef XP_UNIX ++#include ++#define BL_MAXSYMLINKS 20 ++ ++/* ### Copied from freebl/loader.c and freebl changed to softoken. */ ++/* ++ * If 'link' is a symbolic link, this function follows the symbolic links ++ * and returns the pathname of the ultimate source of the symbolic links. ++ * If 'link' is not a symbolic link, this function returns NULL. ++ * The caller should call PR_Free to free the string returned by this ++ * function. ++ */ ++static char* st_GetOriginalPathname(const char* link) ++{ ++ char* resolved = NULL; ++ char* input = NULL; ++ PRUint32 iterations = 0; ++ PRInt32 len = 0, retlen = 0; ++ if (!link) { ++ PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); ++ return NULL; ++ } ++ len = PR_MAX(1024, strlen(link) + 1); ++ resolved = PR_Malloc(len); ++ input = PR_Malloc(len); ++ if (!resolved || !input) { ++ if (resolved) { ++ PR_Free(resolved); ++ } ++ if (input) { ++ PR_Free(input); ++ } ++ return NULL; ++ } ++ strcpy(input, link); ++ while ( (iterations++ < BL_MAXSYMLINKS) && ++ ( (retlen = readlink(input, resolved, len - 1)) > 0) ) { ++ char* tmp = input; ++ resolved[retlen] = '\0'; /* NULL termination */ ++ input = resolved; ++ resolved = tmp; ++ } ++ PR_Free(resolved); ++ if (iterations == 1 && retlen < 0) { ++ PR_Free(input); ++ input = NULL; ++ } ++ return input; ++} ++#endif /* XP_UNIX */ ++ ++/* ++ * We use PR_GetLibraryFilePathname to get the pathname of the loaded ++ * shared lib that contains this function, and then do a PR_LoadLibrary ++ * with an absolute pathname for the softoken shared library. ++ */ ++ ++#include "prio.h" ++#include "prprf.h" ++#include ++#include "prsystem.h" ++ ++/* ### Copied from freebl/loader.c and freebl changed to softoken, ++ * and softoken changed to nss. ++ */ ++/* ++ * Load the softoken library with the file name 'name' residing in the same ++ * directory as libnss, whose pathname is 'nssPath'. ++ */ ++static PRLibrary * ++st_LoadSoftokenLibInNssDir(const char *nssPath, const char *name) ++{ ++ PRLibrary *dlh = NULL; ++ char *fullName = NULL; ++ char* c; ++ PRLibSpec libSpec; ++ ++ /* Remove "libnss" from the pathname and add the softoken libname */ ++ c = strrchr(nssPath, PR_GetDirectorySeparator()); ++ if (c) { ++ size_t nssPathSize = 1 + c - nssPath; ++ fullName = (char*) PORT_Alloc(strlen(name) + nssPathSize + 1); ++ if (fullName) { ++ memcpy(fullName, nssPath, nssPathSize); ++ strcpy(fullName + nssPathSize, name); ++#ifdef DEBUG_LOADER ++ PR_fprintf(PR_STDOUT, "\nAttempting to load fully-qualified %s\n", ++ fullName); ++#endif ++ libSpec.type = PR_LibSpec_Pathname; ++ libSpec.value.pathname = fullName; ++ dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); ++ PORT_Free(fullName); ++ } ++ } ++ return dlh; ++} ++ ++/* ### Copied from freebl/loader.c and freebl changed to softoken, ++ * and softoken changed to nss. ++ */ ++static PRLibrary * ++st_LoadLibrary(const char *name) ++{ ++ PRLibrary *lib = NULL; ++ PRFuncPtr fn_addr; ++ char* nssPath = NULL; ++ PRLibSpec libSpec; ++ ++ /* Get the pathname for the loaded libnss, i.e. /usr/lib/libnss3.so ++ * PR_GetLibraryFilePathname works with either the base library name or a ++ * function pointer, depending on the platform. We can't query an exported ++ * symbol such as NSC_GetFunctionList, because on some platforms we can't ++ * find symbols in loaded implicit dependencies such as libnss. ++ * But we can just get the address of this function ! ++ */ ++ fn_addr = (PRFuncPtr) &st_LoadLibrary; ++ nssPath = PR_GetLibraryFilePathname(nss_name, fn_addr); ++ ++ if (nssPath) { ++ lib = st_LoadSoftokenLibInNssDir(nssPath, name); ++#ifdef XP_UNIX ++ if (!lib) { ++ /* ++ * If nssPath is a symbolic link, resolve the symbolic ++ * link and try again. ++ */ ++ char* originalNssPath = st_GetOriginalPathname(nssPath); ++ if (originalNssPath) { ++ PR_Free(nssPath); ++ nssPath = originalNssPath; ++ lib = st_LoadSoftokenLibInNssDir(nssPath, name); ++ } ++ } ++#endif ++ PR_Free(nssPath); ++ } ++ if (!lib) { ++#ifdef DEBUG_LOADER ++ PR_fprintf(PR_STDOUT, "\nAttempting to load %s\n", name); ++#endif ++ libSpec.type = PR_LibSpec_Pathname; ++ libSpec.value.pathname = name; ++ lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); ++ } ++ if (NULL == lib) { ++#ifdef DEBUG_LOADER ++ PR_fprintf(PR_STDOUT, "\nLoading failed : %s.\n", name); ++#endif ++ } ++ return lib; ++} ++ ++/* This function must be run only once. */ ++/* determine if hybrid platform, then actually load the DSO. */ ++static PRStatus ++softoken_LoadDSO( void ) ++{ ++ PRLibrary * handle; ++ const char * name = softoken_default_name; ++ ++ if (!name) { ++ PR_SetError(PR_LOAD_LIBRARY_ERROR, 0); ++ return PR_FAILURE; ++ } ++ ++ handle = st_LoadLibrary(name); ++ if (handle) { ++ softokenLib = handle; ++ return PR_SUCCESS; ++ } ++ return PR_FAILURE; ++} ++ ++static PRStatus ++softoken_RunLoaderOnce( void ) ++{ ++ PRStatus status; ++ ++ status = PR_CallOnce(&loadSoftokenOnce, &softoken_LoadDSO); ++ return status; ++} ++ + /* + * load a new module into our address space and initialize it. + */ +@@ -238,6 +424,11 @@ SECMOD_LoadPKCS11Module(SECMODModule *mo + + /* intenal modules get loaded from their internal list */ + if (mod->internal) { ++#if 0 ++ /* ++ * Original NSS code that uses a softoken library ++ * linked in statically. Deactivated. ++ */ + /* internal, statically get the C_GetFunctionList function */ + if (mod->isFIPS) { + entry = (CK_C_GetFunctionList) FC_GetFunctionList; +@@ -251,6 +442,35 @@ SECMOD_LoadPKCS11Module(SECMODModule *mo + mod->loaded = PR_TRUE; + return SECSuccess; + } ++#else ++ /* ++ * Workaround code that loads softoken as a dynamic library, ++ * even though the rest of NSS assumes this as the "internal" module. ++ */ ++ if (!softokenLib && PR_SUCCESS != softoken_RunLoaderOnce()) ++ return SECFailure; ++ ++ if (mod->isFIPS) { ++ entry = (CK_C_GetFunctionList) ++ PR_FindSymbol(softokenLib, "FC_GetFunctionList"); ++ } else { ++ entry = (CK_C_GetFunctionList) ++ PR_FindSymbol(softokenLib, "NSC_GetFunctionList"); ++ } ++ ++ if (!entry) ++ return SECFailure; ++ ++ if (mod->isModuleDB) { ++ mod->moduleDBFunc = (CK_C_GetFunctionList) ++ PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); ++ } ++ ++ if (mod->moduleDBOnly) { ++ mod->loaded = PR_TRUE; ++ return SECSuccess; ++ } ++#endif + } else { + /* Not internal, load the DLL and look up C_GetFunctionList */ + if (mod->dllName == NULL) { diff --git a/nss-disable-build-freebl-softoken.patch b/nss-disable-build-freebl-softoken.patch new file mode 100644 index 0000000..6dc4896 --- /dev/null +++ b/nss-disable-build-freebl-softoken.patch @@ -0,0 +1,386 @@ +--- mozilla/security/nss/lib/softoken/manifest.mn.nofbst 2006-10-03 00:58:51.000000000 +0200 ++++ mozilla/security/nss/lib/softoken/manifest.mn 2007-06-16 11:16:42.000000000 +0200 +@@ -40,8 +40,8 @@ + + REQUIRES = dbm + +-LIBRARY_NAME = softokn +-LIBRARY_VERSION = 3 ++#LIBRARY_NAME = softokn ++#LIBRARY_VERSION = 3 + MAPFILE = $(OBJDIR)/softokn.def + + DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" +@@ -66,28 +66,6 @@ + softoknt.h \ + $(NULL) + +-CSRCS = \ +- dbinit.c \ +- dbmshim.c \ +- ecdecode.c \ +- fipsaudt.c \ +- fipstest.c \ +- fipstokn.c \ +- keydb.c \ +- lowcert.c \ +- lowkey.c \ +- lowpbe.c \ +- padbuf.c \ +- pcertdb.c \ +- pk11db.c \ +- pkcs11.c \ +- pkcs11c.c \ +- pkcs11u.c \ +- rsawrapr.c \ +- softkver.c \ +- tlsprf.c \ +- $(NULL) +- + ifdef NSS_ENABLE_ECC + DEFINES += -DNSS_ENABLE_ECC + endif +--- mozilla/security/nss/lib/softoken/Makefile.nofbst 2004-04-25 17:03:16.000000000 +0200 ++++ mozilla/security/nss/lib/softoken/Makefile 2007-06-16 11:16:42.000000000 +0200 +@@ -78,18 +78,3 @@ + + export:: private_export + +-# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile +-# pkcs11c.c in 64-bit mode for unknown reasons. A workaround is +-# to compile it with optimizations turned on. (Bugzilla bug #63815) +-ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3) +-ifeq ($(USE_64),1) +-ifndef BUILD_OPT +-$(OBJDIR)/pkcs11.o: pkcs11.c +- @$(MAKE_OBJDIR) +- $(CC) -o $@ -c -O2 $(CFLAGS) $< +-$(OBJDIR)/pkcs11c.o: pkcs11c.c +- @$(MAKE_OBJDIR) +- $(CC) -o $@ -c -O2 $(CFLAGS) $< +-endif +-endif +-endif +--- mozilla/security/nss/lib/freebl/manifest.mn.nofbst 2006-10-13 19:02:58.000000000 +0200 ++++ mozilla/security/nss/lib/freebl/manifest.mn 2007-06-16 11:16:42.000000000 +0200 +@@ -44,8 +44,10 @@ + + MODULE = nss + ++ifndef FREEBL_CHILD_BUILD + LIBRARY_NAME = freebl + LIBRARY_VERSION = 3 ++endif + + ifdef FREEBL_CHILD_BUILD + ifdef USE_ABI32_INT32 +@@ -98,56 +100,9 @@ + $(NULL) + + MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h +-MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c + + + ECL_HDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h +-ifdef NSS_ENABLE_ECC +-ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \ +- ecp_aff.c ecp_jac.c ecp_mont.c \ +- ec_naf.c ecp_jm.c +-ifdef NSS_ECC_MORE_THAN_SUITE_B +-ECL_SRCS += ec2_aff.c ec2_mont.c ec2_proj.c \ +- ec2_163.c ec2_193.c ec2_233.c \ +- ecp_192.c ecp_224.c ecp_256.c ecp_384.c ecp_521.c +-endif +-else +-ECL_SRCS = $(NULL) +-endif +-SHA_SRCS = sha_fast.c +-MPCPU_SRCS = mpcpucache.c +- +-CSRCS = \ +- freeblver.c \ +- ldvector.c \ +- prng_fips1861.c \ +- sysrand.c \ +- $(SHA_SRCS) \ +- md2.c \ +- md5.c \ +- sha512.c \ +- alghmac.c \ +- rawhash.c \ +- alg2268.c \ +- arcfour.c \ +- arcfive.c \ +- desblapi.c \ +- des.c \ +- rijndael.c \ +- aeskeywrap.c \ +- dh.c \ +- ec.c \ +- pqg.c \ +- dsa.c \ +- rsa.c \ +- shvfy.c \ +- tlsprfalg.c \ +- $(MPI_SRCS) \ +- $(MPCPU_SRCS) \ +- $(ECL_SRCS) \ +- $(NULL) +- +-ALL_CSRCS := $(CSRCS) + + ALL_HDRS = \ + alghmac.h \ +--- mozilla/security/nss/lib/freebl/Makefile.nofbst 2006-12-07 02:59:41.000000000 +0100 ++++ mozilla/security/nss/lib/freebl/Makefile 2007-06-16 11:16:42.000000000 +0200 +@@ -84,21 +84,17 @@ + + ifeq ($(OS_TARGET),OSF1) + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD +- MPI_SRCS += mpvalpha.c + endif + + ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) #omits WIN16 and WINCE + ifdef NS_USE_GCC + # Ideally, we want to use assembler +-# ASFILES = mpi_x86.s + # DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \ + # -DMP_ASSEMBLY_DIV_2DX1D + # but we haven't figured out how to make it work, so we are not + # using assembler right now. +- ASFILES = + DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT + else +- MPI_SRCS += mpi_x86_asm.c + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD + ifdef BUILD_OPT +@@ -114,7 +110,6 @@ + + ifeq ($(OS_TARGET),IRIX) + ifeq ($(USE_N32),1) +- ASFILES = mpi_mips.s + ifeq ($(NS_USE_GCC),1) + ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3 + else +@@ -127,16 +122,13 @@ + + ifeq ($(OS_TARGET),Linux) + ifeq ($(CPU_ARCH),x86_64) +- ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s + ASFLAGS += -march=opteron -m64 -fPIC + DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY + DEFINES += -DNSS_USE_COMBA + DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN + # DEFINES += -DMPI_AMD64_ADD +- MPI_SRCS += mpi_amd64.c mp_comba.c + endif + ifeq ($(CPU_ARCH),x86) +- ASFILES = mpi_x86.s + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_ASSEMBLY_DIV_2DX1D + DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN +@@ -155,33 +147,11 @@ + ifeq ($(OS_TARGET), HP-UX) + ifneq ($(OS_TEST), ia64) + # PA-RISC +-ASFILES += ret_cr16.s + ifndef USE_64 + FREEBL_BUILD_SINGLE_SHLIB = + HAVE_ABI32_INT32 = 1 + HAVE_ABI32_FPU = 1 + endif +-ifdef FREEBL_CHILD_BUILD +-ifdef USE_ABI32_INT32 +-# build for DA1.1 (HP PA 1.1) 32-bit ABI build with 32-bit arithmetic +- DEFINES += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD +- DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512 +-else +-ifdef USE_64 +-# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 64-bit digits +- MPI_SRCS += mpi_hp.c +- ASFILES += hpma512.s hppa20.s +- DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE +-else +-# this builds for DA2.0 (HP PA 2.0 Narrow) ABI32_FPU model +-# (the 32-bit ABI with 64-bit registers) using 64-bit digits +- MPI_SRCS += mpi_hp.c +- ASFILES += hpma512.s hppa20.s +- DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE +- ARCHFLAG = -Aa +e +DA2.0 +DS2.0 +-endif +-endif +-endif + endif + endif + +@@ -326,7 +296,6 @@ + ifdef USE_ABI32_INT32 + # this builds for Sparc v8 pure 32-bit architecture + DEFINES += -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY +- ASFILES = mpv_sparcv8x.s + DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512 + endif + ifdef USE_ABI32_INT64 +@@ -337,8 +306,6 @@ + ifdef USE_ABI32_FPU + # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, + # 32-bit ABI, it uses FPU code, and 32-bit word size +- MPI_SRCS += mpi_sparc.c +- ASFILES = mpv_sparcv8.s montmulfv8.s + DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY + DEFINES += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL + ECL_USE_FP = 1 +@@ -350,8 +317,6 @@ + ifdef USE_ABI64_FPU + # this builds for Sparc v9a pure 64-bit architecture + # It uses floating point, and 32-bit word size +- MPI_SRCS += mpi_sparc.c +- ASFILES = mpv_sparcv9.s montmulfv9.s + DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY + DEFINES += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL + ECL_USE_FP = 1 +@@ -367,29 +332,22 @@ + ifeq ($(USE_64),1) + # Solaris for AMD64 + ifdef NS_USE_GCC +- ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s + ASFLAGS += -march=opteron -m64 -fPIC +- MPI_SRCS += mp_comba.c + else +- ASFILES = arcfour-amd64-sun.s mpi_amd64_sun.s sha-fast-amd64-sun.s +- ASFILES += mp_comba_amd64_sun.s mpcpucache_amd64.s + ASFLAGS += -xarch=generic64 -K PIC + SHA_SRCS = + MPCPU_SRCS = + endif + DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY + DEFINES += -DNSS_USE_COMBA +- MPI_SRCS += mpi_amd64.c + else + # Solaris x86 + DEFINES += -D_X86_ + DEFINES += -DMP_USE_UINT_DIGIT + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_ASSEMBLY_DIV_2DX1D +- ASFILES = mpi_i86pc.s + ifndef NS_USE_GCC + MPCPU_SRCS = +- ASFILES += mpcpucache_x86.s + endif + endif + endif # Solaris for non-sparc family CPUs +@@ -399,7 +357,6 @@ + ifdef ECL_USE_FP + #enable floating point ECC code + DEFINES += -DECL_USE_FP +- ECL_SRCS += ecp_fp160.c ecp_fp192.c ecp_fp224.c ecp_fp.c + ECL_HDRS += ecp_fp.h + endif + endif # NSS_ENABLE_ECC +@@ -436,26 +393,12 @@ + + DEFINES += -DMP_API_COMPATIBLE + +-MPI_USERS = dh.c pqg.c dsa.c rsa.c ec.c +- +-MPI_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_SRCS:.c=$(OBJ_SUFFIX))) +-MPI_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_USERS:.c=$(OBJ_SUFFIX))) +- + $(MPI_OBJS): $(MPI_HDRS) + +-ECL_USERS = ec.c +- +-ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX))) +-ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX))) +- + $(ECL_OBJS): $(ECL_HDRS) + + + +-$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c mac_rand.c os2_rand.c +- +-$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c +- + $(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h + + ifeq ($(SYSV_SPARC),1) +@@ -468,8 +411,6 @@ + @$(MAKE_OBJDIR) + $(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $< + +-$(OBJDIR)/mpmontg.o: mpmontg.c montmulf.h +- + endif + + ifndef FREEBL_CHILD_BUILD +@@ -565,25 +506,3 @@ + + endif # FREEBL_CHILD_BUILD + +- +-# Bugzilla Bug 209827: disable optimization to work around what appears +-# to be a VACPP optimizer bug. +-ifdef XP_OS2_VACPP +-$(OBJDIR)/alg2268.obj: alg2268.c +- @$(MAKE_OBJDIR) +- $(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call core_abspath,$<) +-endif +- +-# Bugzilla Bug 333917: the non-x86 code in desblapi.c seems to violate +-# ANSI C's strict aliasing rules. +-ifeq ($(OS_TARGET),Linux) +-ifneq ($(CPU_ARCH),x86) +-$(OBJDIR)/$(PROG_PREFIX)desblapi$(OBJ_SUFFIX): desblapi.c +- @$(MAKE_OBJDIR) +-ifdef NEED_ABSOLUTE_PATH +- $(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $(call core_abspath,$<) +-else +- $(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $< +-endif +-endif +-endif +--- mozilla/security/nss/cmd/shlibsign/Makefile.nofbst 2006-12-07 02:59:40.000000000 +0100 ++++ mozilla/security/nss/cmd/shlibsign/Makefile 2007-06-16 11:16:42.000000000 +0200 +@@ -60,9 +60,9 @@ + + # sign any and all shared libraries that contain the word freebl + +-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) +-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) +-CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) ++#CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) ++#CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) ++#CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) + + MD_LIB_RELEASE_FILES = $(CHECKLOC) + ALL_TRASH += $(CHECKLOC) +--- mozilla/security/nss/cmd/platlibs.mk.nofbst 2006-11-17 03:13:16.000000000 +0100 ++++ mozilla/security/nss/cmd/platlibs.mk 2007-06-16 11:16:42.000000000 +0200 +@@ -101,7 +101,6 @@ + $(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ + $(CRYPTOLIB) \ + $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ +@@ -143,7 +142,6 @@ + $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ +@@ -225,10 +223,6 @@ + endif + endif + +-ifeq ($(OS_ARCH), Darwin) +-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib +-endif +- + + # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS) + # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. diff --git a/nss.spec b/nss.spec index 1d27d25..00893a4 100644 --- a/nss.spec +++ b/nss.spec @@ -1,10 +1,12 @@ %define nspr_version 4.6.2 %define unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%define fips_source_version 3.11.5 +%define ckbi_version 1.64 Summary: Network Security Services Name: nss Version: 3.11.7 -Release: 3%{?dist} +Release: 4%{?dist} License: MPL/GPL/LGPL URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -16,17 +18,24 @@ BuildRequires: gawk Provides: mozilla-nss Obsoletes: mozilla-nss -Source0: %{name}-%{version}-fbst3115-stripped.tar.gz +#Source0: %{name}-%{version}-no-fbst.tar.gz +Source0: %{name}-%{version}-no-fbst-with-ckbi-%{ckbi_version}.tar.gz +# ckbi is the builtin roots module which may get released separately. + Source1: nss.pc.in Source2: nss-config.in Source3: blank-cert8.db Source4: blank-key3.db Source5: blank-secmod.db Source7: fake-kstat.h +Source10: %{name}-%{fips_source_version}-fbst-stripped.tar.gz Patch1: nss-no-rpath.patch Patch2: nss-smartcard-auth.patch Patch3: nss-use-netstat-hack.patch +Patch4: nss-decouple-softokn.patch +Patch5: nss-disable-build-freebl-softoken.patch + %description Network Security Services (NSS) is a set of libraries designed to @@ -76,11 +85,43 @@ low level services. %prep %setup -q -%patch1 -p0 -%patch2 -p0 -b .smartcard-auth.patch -%patch3 -p0 +%setup -q -T -D -n %{name}-%{version} -a 10 + +%define old_nss_lib %{name}-%{fips_source_version}/mozilla/security/nss/lib +%define new_nss_lib mozilla/security/nss/lib + +# Ensure we will not use new freebl/softoken code +rm -rf %{new_nss_lib}/freebl +rm -rf %{new_nss_lib}/softoken + +# However, in order to build newer NSS we need some exports +cp -a %{old_nss_lib}/freebl %{new_nss_lib} +cp -a %{old_nss_lib}/softoken %{new_nss_lib} + +# Ensure the newer NSS tree will not build code, except the loader +mv -i %{new_nss_lib}/freebl/loader.c %{new_nss_lib}/freebl/loader.c.save +rm -rf %{new_nss_lib}/freebl/*.c %{new_nss_lib}/freebl/*.s +rm -rf %{new_nss_lib}/softoken/*.c %{new_nss_lib}/softoken/*.s +mv -i %{new_nss_lib}/freebl/loader.c.save %{new_nss_lib}/freebl/loader.c + +# These currently don't build without freebl/softoken in the same tree +rm -rf mozilla/security/nss/cmd/bltest +rm -rf mozilla/security/nss/cmd/fipstest +rm -rf mozilla/security/nss/cmd/certcgi + +# Apply the patches to the newer NSS tree +%patch1 -p0 +%patch2 -p0 -b .smartcard-auth +%patch4 -p0 -b .decouple-softokn +%patch5 -p0 -b .nofbst + +# Apply the patches to the tree where we build freebl/softoken +cd nss-%{fips_source_version} +%patch3 -p0 -b .use-netstat-hack %{__mkdir_p} mozilla/security/nss/lib/fake/ cp -i %{SOURCE7} mozilla/security/nss/lib/fake/kstat.h +cd .. + %build @@ -115,17 +156,27 @@ export USE_64 # NSS_ENABLE_ECC=1 # export NSS_ENABLE_ECC +##### first, build freebl and softokn shared libraries + +cd nss-%{fips_source_version} %{__make} -C ./mozilla/security/coreconf %{__make} -C ./mozilla/security/dbm %{__make} -C ./mozilla/security/nss export - +%{__make} -C ./mozilla/security/nss/lib/base %{__make} -C ./mozilla/security/nss/lib/util %{__make} -C ./mozilla/security/nss/lib/freebl - touch ./mozilla/security/nss/lib/freebl/unix_rand.c USE_NETSTAT_HACK=1 %{__make} -C ./mozilla/security/nss/lib/freebl +%{__make} -C ./mozilla/security/nss/lib/freebl install +%{__make} -C ./mozilla/security/nss/lib/softoken +%{__make} -C ./mozilla/security/nss/lib/softoken install +cd .. -%{__make} -C ./mozilla/security/nss +##### second, build all the rest of NSS + +%{__make} -C ./mozilla/security/coreconf +%{__make} -C ./mozilla/security/dbm +%{__make} -C ./mozilla/security/nss # Set up our package file %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig @@ -168,7 +219,14 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} # Copy the binary libraries we want -for file in libnss3.so libssl3.so libsmime3.so libsoftokn3.so libnssckbi.so libfreebl3.so +for file in libsoftokn3.so libfreebl3.so +do + %{__install} -m 755 nss-%{fips_source_version}/mozilla/dist/*.OBJ/lib/$file \ + $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binary libraries we want +for file in libnss3.so libssl3.so libsmime3.so libnssckbi.so do %{__install} -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done @@ -201,7 +259,16 @@ do %{__install} -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done -# Copy the include files +# Copy the include files we want from freebl/softoken sources +# and remove those files from the other area +for file in blapit.h shsign.h ecl-exp.h pkcs11.h pkcs11f.h pkcs11p.h pkcs11t.h pkcs11n.h pkcs11u.h +do + %{__install} -m 644 nss-%{fips_source_version}/mozilla/dist/public/nss/$file \ + $RPM_BUILD_ROOT/%{_includedir}/nss3 + rm mozilla/dist/public/nss/$file +done + +# Copy the include files we want for file in mozilla/dist/public/nss/*.h do %{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 @@ -368,6 +435,10 @@ done %changelog +* Mon Jun 18 2007 Kai Engert - 3.11.7-4 +- Better approach to ship freebl/softokn based on 3.11.5 +- Remove link time dependency on softokn + * Sun Jun 10 2007 Kai Engert - 3.11.7-3 - Fix unowned directories, rhbz#233890 diff --git a/sources b/sources index 1eb758a..97305fd 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -d57e4dd494f04f4c26c9035e660a1fba nss-3.11.7-fbst3115-stripped.tar.gz +68c5e1bd8ba091e5a50babcd9e552bc5 nss-3.11.5-fbst-stripped.tar.gz +c1053d1e001a5b1eb4b7c296a968ca5c nss-3.11.7-no-fbst-with-ckbi-1.64.tar.gz