%global unsupported_tools_directory %{_libdir}/nss-nspr-for-apps/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" %global org_nss_version 3.32 %global org_nspr_version 4.16 Summary: Network Security Services and Portable Runtime for Applications Name: nss-nspr-for-apps Version: 3.32.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: Applications/Internet Requires: p11-kit-trust BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig BuildRequires: gawk BuildRequires: psmisc BuildRequires: perl-interpreter Conflicts: filesystem < 3 Source0: nss-%{org_nss_version}-with-nspr-%{org_nspr_version}.tar.gz Source1: nss.pc.in Source2: nss-config.in Source3: nspr.pc.in Source4: nspr-config.in Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch16: nss-539183.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch # This patch uses the gcc-iquote dir option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to place the in-tree directories at the head of the list of list of directories # to be searched for for header files. This ensures a build even when system # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch %description A bundle of Network Security Services (NSS) and Portable Runtime (NSPR) libraries, intended for applications that are updated frequently. %package devel Summary: Development libraries for nss-nspr-for-apps Group: Development/Libraries Requires: nss-nspr-for-apps = %{version}-%{release} Requires: pkgconfig Conflicts: filesystem < 3 %description devel Header and Library files for doing development with nss-nspr-for-apps. %prep %setup -q -n nss-%{org_nss_version} %patch2 -p0 -b .relro %patch3 -p0 -b .transitional %patch16 -p0 -b .539183 %patch40 -p0 -b .noocsptest %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file popd %build # partial RELRO support as a security enhancement LDFLAGS+=-Wl,-z,relro export LDFLAGS #### TODO - how can we pass this to nspr configure as part of nss build? # %ifarch armv7l armv7hl armv7nhl # --enable-thumb2 \ # %endif NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 # Uncomment to disable optimizations #RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` #export RPM_OPT_FLAGS # Generate symbolic info for debuggers XCFLAGS=$RPM_OPT_FLAGS export XCFLAGS PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 export PKG_CONFIG_ALLOW_SYSTEM_LIBS export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE %ifnarch noarch %if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif %endif # Set the policy file location # if set NSS will always check for the policy file and load if it exists export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" export NSPR_PREFIX=%{_prefix} %{__make} -C ./nss nss_build_all # Set up our package file # The nspr_version and nss_{util|softokn}_version globals used # here match the ones nss has for its Requires. # Using the current %%{nss_softokn_version} for fedora again %{__mkdir_p} ./dist/pkgconfig NSPR_VMAJOR=`cat nspr/pr/include/prinit.h | grep "#define.*PR_VMAJOR" | awk '{print $3}'` NSPR_VMINOR=`cat nspr/pr/include/prinit.h | grep "#define.*PR_VMINOR" | awk '{print $3}'` NSPR_VPATCH=`cat nspr/pr/include/prinit.h | grep "#define.*PR_VPATCH" | awk '{print $3}'` NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` export NSPR_VMAJOR export NSPR_VMINOR export NSPR_VPATCH export NSS_VMAJOR export NSS_VMINOR export NSS_VPATCH NSPR_VERSION="$NSPR_VMAJOR.$NSPR_VMINOR.$NSPR_VPATCH" NSS_VERSION="$NSS_VMAJOR.$NSS_VMINOR.$NSS_VPATCH" %{__cat} %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir}/nss-nspr-for-apps/lib,g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss-nspr-for-apps/nspr4,g" \ -e "s,%%NSPR_VERSION%%,$NSPR_VERSION,g" \ > ./dist/pkgconfig/nspr.pc %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir}/nss-nspr-for-apps/lib,g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss-nspr-for-apps/nss3,g" \ -e "s,%%NSS_VERSION%%,$NSS_VERSION,g" \ > ./dist/pkgconfig/nss.pc %{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir}/nss-nspr-for-apps/lib,g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss-nspr-for-apps/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > ./dist/pkgconfig/nss-config %{__cat} %{SOURCE4} | sed -e "s,@libdir@,%{_libdir}/nss-nspr-for-apps/lib,g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss-nspr-for-apps/nspr4,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSPR_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSPR_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSPR_VPATCH,g" \ > ./dist/pkgconfig/nspr-config chmod 755 ./dist/pkgconfig/nss-config chmod 755 ./dist/pkgconfig/nspr-config %check if [ ${DISABLETEST:-0} -eq 1 ]; then echo "testing disabled" exit 0 fi export BUILD_OPT=1 %ifnarch noarch %if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif %endif # Run test suite. perl ./nspr/pr/tests/runtests.pl 2>&1 | tee output.log TEST_FAILURES=`grep -c FAILED ./output.log` || : if [ $TEST_FAILURES -ne 0 ]; then echo "error: test suite returned failure(s)" exit 1 fi echo "NSPR test suite completed" # This is necessary because the test suite tests algorithms that are # disabled by the system policy. export NSS_IGNORE_SYSTEM_POLICY=1 # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f # Run test suite. # In order to support multiple concurrent executions of the test suite # (caused by concurrent RPM builds) on a single host, # we'll use a random port. Also, we want to clean up any stuck # selfserv processes. If process name "selfserv" is used everywhere, # we can't simply do a "killall selfserv", because it could disturb # concurrent builds. Therefore we'll do a search and replace and use # a different process name. # Using xargs doesn't mix well with spaces in filenames, in order to # avoid weird quoting we'll require that no spaces are being used. SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: if [ $SPACEISBAD -ne 0 ]; then echo "error: filenames containing space are not supported (xargs)" exit 1 fi MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: pushd `pwd` cd $DISTBINDIR ln -s selfserv $RANDSERV popd # man perlrun, man perlrequick # replace word-occurrences of selfserv with selfserv_$MYRAND find ./nss/tests -type f |\ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ grep -vw CVS |xargs grep -lw selfserv |\ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: killall $RANDSERV || : rm -rf ./tests_results pushd ./nss/tests/ # all.sh is the test suite script # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb # the full list from all.sh is: # "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" %define nss_tests "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy # nss_ssl_run: cov auth stapling stress # # Uncomment these lines if you need to temporarily # disable some test suites for faster test builds # % define nss_ssl_tests "normal_fips" # % define nss_ssl_run "cov" SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh else echo "skipped test suite" fi popd # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, # Grep exits with status greater than 1 if an error ocurred. # If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, # With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? else TEST_FAILURES=0 GREP_EXIT_STATUS=1 fi if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" else if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then # while a situation in which grep return status is 0 and it doesn't output # anything shouldn't happen, set the default to something that is # obviously wrong (-1) echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" exit 1 else if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then echo "error: grep has not found log file" exit 1 else echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" exit 1 fi fi fi echo "test suite completed" %install %{__rm} -rf $RPM_BUILD_ROOT %{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss-nspr-for-apps/nspr4 %{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss-nspr-for-apps/nss3 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/bin %{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/lib %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig #NSPR: use install pushd nspr/Linux* DESTDIR=$RPM_BUILD_ROOT/dist-nspr \ make install popd # Get rid of the things we don't want installed (per upstream) %{__rm} -rf \ $RPM_BUILD_ROOT/dist-nspr/usr/local/bin/compile-et.pl \ $RPM_BUILD_ROOT/dist-nspr/usr/local/bin/prerr.properties \ $RPM_BUILD_ROOT/dist-nspr/usr/local/bin/nspr-config \ $RPM_BUILD_ROOT/dist-nspr/usr/local/lib/libnspr4.a \ $RPM_BUILD_ROOT/dist-nspr/usr/local/lib/libplc4.a \ $RPM_BUILD_ROOT/dist-nspr/usr/local/lib/libplds4.a \ $RPM_BUILD_ROOT/dist-nspr/usr/local/lib/pkgconfig/nspr.pc \ $RPM_BUILD_ROOT/dist-nspr/usr/local/share/aclocal/nspr.m4 \ $RPM_BUILD_ROOT/dist-nspr/usr/local/include/nspr/md mv $RPM_BUILD_ROOT/dist-nspr/usr/local/include/nspr/* $RPM_BUILD_ROOT/%{_includedir}/nss-nspr-for-apps/nspr4 mv $RPM_BUILD_ROOT/dist-nspr/usr/local/lib/*.so $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/lib #NSS: There is no make install target so we'll do it ourselves. # Copy the binary libraries we want for file in libnssutil3.so libnssdbm3.so libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so do %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/lib done # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/lib done # Copy the binaries we want for file in certutil cmsutil crlutil modutil pk12util signver ssltap do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/bin done # Copy the binaries we ship as unsupported for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done # Copy the include files we want for file in dist/public/nss/*.h do %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss-nspr-for-apps/nss3 done # Copy the package configuration files %{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-for-apps.pc %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/bin/nss-config %{__install} -p -m 644 ./dist/pkgconfig/nspr.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nspr-for-apps.pc %{__install} -p -m 755 ./dist/pkgconfig/nspr-config $RPM_BUILD_ROOT/%{_libdir}/nss-nspr-for-apps/bin/nspr-config %clean %{__rm} -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{!?_licensedir:%global license %%doc} %license nss/COPYING %{_libdir}/nss-nspr-for-apps/lib/libnspr4.so %{_libdir}/nss-nspr-for-apps/lib/libplc4.so %{_libdir}/nss-nspr-for-apps/lib/libplds4.so %{_libdir}/nss-nspr-for-apps/lib/libnssutil3.so %{_libdir}/nss-nspr-for-apps/lib/libnssdbm3.so %{_libdir}/nss-nspr-for-apps/lib/libsoftokn3.so %{_libdir}/nss-nspr-for-apps/lib/libfreebl3.so %{_libdir}/nss-nspr-for-apps/lib/libfreeblpriv3.so %{_libdir}/nss-nspr-for-apps/lib/libnss3.so %{_libdir}/nss-nspr-for-apps/lib/libssl3.so %{_libdir}/nss-nspr-for-apps/lib/libsmime3.so %{_libdir}/nss-nspr-for-apps/lib/libnsssysinit.so %{_libdir}/nss-nspr-for-apps/bin/certutil %{_libdir}/nss-nspr-for-apps/bin/cmsutil %{_libdir}/nss-nspr-for-apps/bin/crlutil %{_libdir}/nss-nspr-for-apps/bin/modutil %{_libdir}/nss-nspr-for-apps/bin/pk12util %{_libdir}/nss-nspr-for-apps/bin/signver %{_libdir}/nss-nspr-for-apps/bin/ssltap %{unsupported_tools_directory}/atob %{unsupported_tools_directory}/btoa %{unsupported_tools_directory}/derdump %{unsupported_tools_directory}/listsuites %{unsupported_tools_directory}/ocspclnt %{unsupported_tools_directory}/pp %{unsupported_tools_directory}/selfserv %{unsupported_tools_directory}/signtool %{unsupported_tools_directory}/strsclnt %{unsupported_tools_directory}/symkeyutil %{unsupported_tools_directory}/tstclnt %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain %files devel %defattr(-,root,root) %{_libdir}/nss-nspr-for-apps/lib/libcrmf.a %{_libdir}/nss-nspr-for-apps/lib/libnssb.a %{_libdir}/nss-nspr-for-apps/lib/libnssckfw.a %{_libdir}/pkgconfig/nspr-for-apps.pc %{_libdir}/pkgconfig/nss-for-apps.pc %{_libdir}/nss-nspr-for-apps/bin/nss-config %{_libdir}/nss-nspr-for-apps/bin/nspr-config %dir %{_includedir}/nss-nspr-for-apps %{_includedir}/nss-nspr-for-apps/nspr4/*.h %{_includedir}/nss-nspr-for-apps/nspr4/obsolete/*.h %{_includedir}/nss-nspr-for-apps/nspr4/private/*.h %{_includedir}/nss-nspr-for-apps/nss3/*.h %changelog * Mon Aug 28 2017 Kai Engert - 3.32.0-2 - Initial package fork