2009-06-23 00:58:55 +00:00

689 lines
23 KiB

%define nspr_version 4.7
%define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
Summary: Network Security Services
Name: nss
Release: 5%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version}
Requires: nss-softokn-freebl%{_isa} >= %{version}
Requires: sqlite
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= %{nspr_version}
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
BuildRequires: pkgconfig
BuildRequires: gawk
BuildRequires: psmisc
BuildRequires: perl
Source0: %{name}-%{version}-stripped.tar.bz2
Source1: nss.pc.in
Source2: nss-config.in
Source3: blank-cert8.db
Source4: blank-key3.db
Source5: blank-secmod.db
Source8: nss-prelink.conf
Source12: %{name}-pem-20090622.tar.bz2
Source13: PayPalEE.cert
Source14: PayPalICA.cert
Patch1: nss-no-rpath.patch
Patch2: nss-nolocalsql.patch
Patch6: nss-enable-pem.patch
Patch7: nss-stubs-bug502133.patch
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
%package softokn-freebl
Summary: Freebl library for the Network Security Services
Group: System Environment/Base
Conflicts: nss <
%description softokn-freebl
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
Install the nss-softokn-freebl package if you need the freebl
%package tools
Summary: Tools for the Network Security Services
Group: System Environment/Base
Requires: nss = %{version}-%{release}
Requires: zlib
%description tools
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
Install the nss-tools package if you need command-line tools to
manipulate the NSS certificate and key database.
%package devel
Summary: Development libraries for Network Security Services
Group: Development/Libraries
Requires: nss = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig
%description devel
Header and Library files for doing development with Network Security Services.
%package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Group: Development/Libraries
Requires: nss-devel = %{version}-%{release}
%description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS
low level services.
%setup -q
%setup -q -T -D -n %{name}-%{version} -a 12
%patch1 -p0
%patch2 -p0
%patch6 -p0 -b .libpem
%patch7 -p0 -b .502133
#need newer certs to make test suite work
#remove once we update to NSS 3.12.4
cp %{SOURCE13} %{SOURCE14} mozilla/security/nss/tests/libpkix/certs
# Enable compiler optimizations and disable debugging code
export BUILD_OPT
# Generate symbolic info for debuggers
export XCFLAGS
#export NSPR_INCLUDE_DIR=`nspr-config --includedir`
#export NSPR_LIB_DIR=`nspr-config --libdir`
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'`
%ifarch x86_64 ppc64 ia64 s390x sparc64
export USE_64
%{__make} -C ./mozilla/security/coreconf
%{__make} -C ./mozilla/security/dbm
%{__make} -C ./mozilla/security/nss
# Set up our package file
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
-e "s,%%prefix%%,%{_prefix},g" \
-e "s,%%exec_prefix%%,%{_prefix},g" \
-e "s,%%includedir%%,%{_includedir}/nss3,g" \
-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-e "s,%%NSS_VERSION%%,%{version},g" > \
NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \
> $RPM_BUILD_ROOT/%{_bindir}/nss-config
chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
# enable the following line to force a test failure
# find ./mozilla -name \*.chk | xargs rm -f
# Run test suite.
# In order to support multiple concurrent executions of the test suite
# (caused by concurrent RPM builds) on a single host,
# we'll use a random port. Also, we want to clean up any stuck
# selfserv processes. If process name "selfserv" is used everywhere,
# we can't simply do a "killall selfserv", because it could disturb
# concurrent builds. Therefore we'll do a search and replace and use
# a different process name.
# Using xargs doesn't mix well with spaces in filenames, in order to
# avoid weird quoting we'll require that no spaces are being used.
SPACEISBAD=`find ./mozilla/security/nss/tests | grep -c ' '` ||:
if [ SPACEISBAD -ne 0 ]; then
echo "error: filenames containing space are not supported (xargs)"
exit 1
MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
DISTBINDIR=`ls -d ./mozilla/dist/*.OBJ/bin`; echo $DISTBINDIR ||:
pushd `pwd`
ln -s selfserv $RANDSERV
# man perlrun, man perlrequick
# replace word-occurrences of selfserv with selfserv_$MYRAND
find ./mozilla/security/nss/tests -type f |\
grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
grep -vw CVS |xargs grep -lw selfserv |\
xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
killall $RANDSERV || :
rm -rf ./mozilla/tests_results
cd ./mozilla/security/nss/tests/
# all.sh is the test suite script
HOST=localhost DOMSUF=localdomain PORT=$MYRAND ./all.sh
cd ../../../../
killall $RANDSERV || :
TEST_FAILURES=`grep -c FAILED ./mozilla/tests_results/security/localhost.1/output.log` || :
if [ $TEST_FAILURES -ne 0 ]; then
echo "error: test suite returned failure(s)"
exit 1
echo "test suite completed"
# Produce .chk files for the final stripped binaries
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libsoftokn3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
# There is no make install target so we'll do it ourselves.
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_lib}
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
# Copy the binary libraries we want
for file in libsoftokn3.so libfreebl3.so libnss3.so libnssutil3.so \
libssl3.so libsmime3.so libnssckbi.so libnsspem.so libnssdbm3.so
%{__install} -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_lib}
ln -sf ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file
# Make sure chk files can be found in both places
for file in libsoftokn3.chk libfreebl3.chk
ln -s ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file
# Install the empty NSS db files
%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
%{__install} -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
%{__install} -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d
%{__install} -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/nss-prelink.conf
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
%{__install} -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
# Copy the binaries we want
for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap
%{__install} -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
# Copy the binaries we ship as unsupported
for file in atob btoa derdump ocspclnt pp selfserv shlibsign strsclnt symkeyutil tstclnt vfyserv vfychain
%{__install} -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
# Copy the include files we want
for file in mozilla/dist/public/nss/*.h
%{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
%{__rm} -rf $RPM_BUILD_ROOT
/sbin/ldconfig >/dev/null 2>/dev/null
/sbin/ldconfig >/dev/null 2>/dev/null
%dir %{_libdir}/nss
%dir %{unsupported_tools_directory}
%dir %{_sysconfdir}/pki/nssdb
%config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db
%config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db
%config(noreplace) %{_sysconfdir}/pki/nssdb/secmod.db
%dir %{_sysconfdir}/prelink.conf.d
%files softokn-freebl
%files tools
%files devel
%dir %{_includedir}/nss3
%files pkcs11-devel
%defattr(-, root, root)
* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> -
- updated pem module incorporates various patches
- fix off-by-one error when computing size to reduce memory leak. (483855)
- fix data type to work on x86_64 systems. (429175)
- fix various memory leaks and free internal objects on module unload. (501080)
- fix to not clone internal objects in collect_objects(). (501118)
- fix to not bypass initialization if module arguments are omitted. (501058)
- fix numerous gcc warnings. (500815)
- fix to support arbitrarily long password while loading a private key. (500180)
- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
* Fri Jun 08 2009 Elio Maldonado <emaldona@redhat.com> -
- add patch for bug 502133 upstream bug 496997
* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> -
- rebuild with higher release number for upgrade sanity
* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> -
- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75
* Thu May 07 2009 Kai Engert <kaie@redhat.com> - 3.12.3-7
- re-enable test suite
- add patch for upstream bug 488646 and add newer paypal
certs in order to make the test suite pass
* Wed May 06 2009 Kai Engert <kaie@redhat.com> - 3.12.3-4
- add conflicts info in order to fix bug 499436
* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-3
- ship .chk files instead of running shlibsign at install time
- include .chk file in softokn-freebl subpackage
- add patch for upstream nss bug 488350
* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2
- Update to NSS 3.12.3
* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> -
- temporarily disable the test suite because of bug 494266
* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> -
- fix softokn-freebl dependency for multilib (bug 494122)
* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> -
- introduce separate nss-softokn-freebl package
* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> -
- disable execstack when building freebl
* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> -
- add upstream patch to fix bug 483855
* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> -
- build nspr-less freebl library
* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> -
- Update to NSS_3_12_3_BETA4
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> -
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Wed Oct 22 2008 Kai Engert <kaie@redhat.com> -
- update to NSS_3_12_2_RC1
- use system zlib
* Tue Sep 30 2008 Dennis Gilmore <dennis@ausil.us> -
- add sparc64 to the list of 64 bit arches
* Wed Sep 24 2008 Kai Engert <kaie@redhat.com> -
- bug 456847, move pkgconfig requirement to devel package
* Fri Sep 05 2008 Kai Engert <kengert@redhat.com> -
- Update to NSS_3_12_1_RC2
* Fri Aug 22 2008 Kai Engert <kaie@redhat.com> -
- NSS 3.12.1 RC1
* Fri Aug 15 2008 Kai Engert <kaie@redhat.com> -
- fix bug bug 429175 in libpem module
* Tue Aug 05 2008 Kai Engert <kengert@redhat.com> -
- bug 456847, add Requires: pkgconfig
* Tue Jun 24 2008 Kai Engert <kengert@redhat.com> -
- nss package should own /etc/prelink.conf.d folder, rhbz#452062
- use upstream patch to fix test suite abort
* Mon Jun 02 2008 Kai Engert <kengert@redhat.com> -
- Update to NSS_3_12_RC4
* Mon Apr 14 2008 Kai Engert <kengert@redhat.com> -
- Update to NSS_3_12_RC2
* Thu Mar 20 2008 Jesse Keating <jkeating@redhat.com> -
- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache.
* Mon Mar 17 2008 Kai Engert <kengert@redhat.com> -
- Update to NSS_3_12_BETA3
* Fri Feb 22 2008 Kai Engert <kengert@redhat.com> -
- NSS 3.12 Beta 2
- Use /usr/lib{64} as devel libdir, create symbolic links.
* Sat Feb 16 2008 Kai Engert <kengert@redhat.com> -
- Apply upstream patch for bug 417664, enable test suite on pcc.
* Fri Feb 15 2008 Kai Engert <kengert@redhat.com> -
- Support concurrent runs of the test suite on a single build host.
* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> -
- disable test suite on ppc
* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> -
- disable test suite on ppc64
* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> -
- Build against gcc 4.3.0, use workaround for bug 432146
- Run the test suite after the build and abort on failures.
* Thu Jan 24 2008 Kai Engert <kengert@redhat.com> -
* NSS 3.12 Beta 1
* Mon Jan 07 2008 Kai Engert <kengert@redhat.com> -
- move .so files to /lib
* Wed Dec 12 2007 Kai Engert <kengert@redhat.com> -
- NSS 3.12 alpha 2b
* Mon Dec 03 2007 Kai Engert <kengert@redhat.com> -
- upstream patches to avoid calling netstat for random data
* Wed Nov 07 2007 Kai Engert <kengert@redhat.com> -
- NSS 3.12 alpha 2
* Wed Oct 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-10
- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist
our signed libraries and protect them from modification.
* Thu Sep 06 2007 Rob Crittenden <rcritten@redhat.com> - 3.11.7-9
- Fix off-by-one error in the PEM module
* Thu Sep 06 2007 Kai Engert <kengert@redhat.com> - 3.11.7-8
- fix a C++ mode compilation error
* Wed Sep 05 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.7-7
- Add 3.12 ckfw and libnsspem
* Tue Aug 28 2007 Kai Engert <kengert@redhat.com> - 3.11.7-6
- Updated license tag
* Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-5
- Ensure the workaround for mozilla bug 51429 really get's built.
* Mon Jun 18 2007 Kai Engert <kengert@redhat.com> - 3.11.7-4
- Better approach to ship freebl/softokn based on 3.11.5
- Remove link time dependency on softokn
* Sun Jun 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-3
- Fix unowned directories, rhbz#233890
* Fri Jun 01 2007 Kai Engert <kengert@redhat.com> - 3.11.7-2
- Update to 3.11.7, but freebl/softokn remain at 3.11.5.
- Use a workaround to avoid mozilla bug 51429.
* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
- Fix rhbz#230545, failure to enable FIPS mode
- Fix rhbz#220542, make NSS more tolerant of resets when in the
middle of prompting for a user password.
* Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
- Update to 3.11.5
- This update fixes two security vulnerabilities with SSL 2
- Do not use -rpath link option
- Added several unsupported tools to tools package
* Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4
- disable ECC, cleanout dead code
* Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1
- Update to 3.11.4
* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2
- Revert the attempt to require latest NSPR, as it is not yet available
in the build infrastructure.
* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1
- Update to 3.11.3
* Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2
- Add /etc/pki/nssdb
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1
- rebuild
* Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1
- Update to 3.11.2
- Enable executable bit on shared libs, also fixes debug info.
* Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2
- Enable Elliptic Curve Cryptography (ECC)
* Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1
- Update to 3.11.1
- Include upstream patch to limit curves
* Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4
- add --noexecstack when compiling assembler on x86_64
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3
- rebuild
* Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2
- Update file list for the devel packages
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1
- Update to 3.11
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2
- Add patch to allow building on ppc*
- Update the pkgconfig file to Require nspr
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs
- Initial import into Fedora Core, based on a CVS snapshot of
the NSS_3_11_RTM tag
- Fix up the pkcs11-devel subpackage to contain the proper headers
- Build with RPM_OPT_FLAGS
- No need to have rpath of /usr/lib in the pc file
* Thu Dec 15 2005 Kai Engert <kengert@redhat.com>
- Adressed review comments by Wan-Teh Chang, Bob Relyea,
Christopher Aillon.
* Tue Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
- Initial build