From e36079dd455beeb913eb7a1c77a87d4929f8089a Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 18 Jun 2013 17:45:38 -0700 Subject: [PATCH] Build nss without softoken or util sources in the tree - Resolves: rhbz#689918 --- no-softoken-freebl-tests.patch | 19 ----- nss.spec | 131 +++++++++++++------------------ utilwrap-include-templates.patch | 14 ++-- 3 files changed, 59 insertions(+), 105 deletions(-) delete mode 100644 no-softoken-freebl-tests.patch diff --git a/no-softoken-freebl-tests.patch b/no-softoken-freebl-tests.patch deleted file mode 100644 index 3c2b9ae..0000000 --- a/no-softoken-freebl-tests.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up nss/cmd/Makefile.nosoftokentests nss/cmd/Makefile ---- nss/cmd/Makefile.nosoftokentests 2013-05-30 23:43:20.982027783 -0700 -+++ nss/cmd/Makefile 2013-05-30 23:47:11.865874884 -0700 -@@ -19,9 +19,15 @@ BLTEST_SRCDIR = - FIPSTEST_SRCDIR = - SHLIBSIGN_SRCDIR = - else -+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) -+BLTEST_SRCDIR = -+FIPSTEST_SRCDIR = -+SHLIBSIGN_SRCDIR = -+else - BLTEST_SRCDIR = bltest - FIPSTEST_SRCDIR = fipstest - SHLIBSIGN_SRCDIR = shlibsign -+endif - endif - - LOWHASHTEST_SRCDIR= diff --git a/nss.spec b/nss.spec index 168584f..3998a4e 100644 --- a/nss.spec +++ b/nss.spec @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.15 -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -89,14 +89,14 @@ Patch29: nss-ssl-cbc-random-iv-off-by-default.patch Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919 -Patch43: no-softoken-freebl-tests.patch Patch44: 0001-sync-up-with-upstream-softokn-changes.patch Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch # The ocsp stapling tests currently require access to the # kuix.de test server but koji forbids outbount connections Patch46: disable-ocsp-stapling-tests.patch +# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch +# TODO submit this patch upstream Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch @@ -186,14 +186,30 @@ low level services. #%patch29 -p0 -b .cbcrandomivoff #%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest -#%patch43 -p0 -b .nosoftokentests %patch44 -p1 -b .syncupwithupstream %patch45 -p0 -b .notrash %patch46 -p0 -b .skipoutbound -#%patch47 -p0 -b .templates +%patch47 -p0 -b .templates %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem +######################################################### +# Higher-level libraries and test tools need access to +# module-private headers from util, freebl, and softoken +# until fixed upstream we must copy some headers locally +######################################################### + +pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt" +for file in ${pemNeedsFromSoftoken}; do + %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/ +done + +# Copying these header util the upstream bug is accepted +# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 +%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf +%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf + + %build NSS_NO_PKCS11_BYPASS=1 @@ -226,9 +242,25 @@ NSPR_LIB_DIR=%{_libdir} export NSPR_INCLUDE_DIR export NSPR_LIB_DIR +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} + export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` export FREEBL_LIB_DIR=%{_libdir} export USE_SYSTEM_FREEBL=1 +# FIXME choose one or the other style and submit a patch upstream +# wtc has suggested using NSS_USE_SYSTEM_FREEBL +export NSS_USE_SYSTEM_FREEBL=1 + +export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn` + +export SOFTOKEN_LIB_DIR=%{_libdir} +# use the system ones +export USE_SYSTEM_NSSUTIL=1 +export USE_SYSTEM_SOFTOKEN=1 + +# tell the upstream build system what we are doing +export NSS_BUILD_WITHOUT_SOFTOKEN=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE @@ -238,24 +270,16 @@ USE_64=1 export USE_64 %endif -##### phase 1: build freebl/softokn shared libraries -# there no ecc in freebl -unset NSS_ENABLE_ECC -# Compile softoken plus needed support -%{__make} -C ./nss/coreconf - -%{__make} -C ./nss/lib/util export -%{__make} -C ./nss/lib/freebl export -%{__make} -C ./nss/lib/softoken export - -%{__make} -C ./nss/lib/util -%{__make} -C ./nss/lib/dbm -%{__make} -C ./nss/lib/freebl -%{__make} -C ./nss/lib/softoken - -# stash away the bltest and fipstest to build them last -tar cf build_these_later.tar ./nss/cmd/bltest ./nss/cmd/fipstest -rm -rf ./nss/cmd/bltest ./nss/cmd/fipstest +##### phase 1: remove util/freebl/softoken and low level tools +# +######## Remove freebl, softoken and util +%{__rm} -rf ./mozilla/security/nss/lib/freebl +%{__rm} -rf ./mozilla/security/nss/lib/softoken +%{__rm} -rf ./mozilla/security/nss/lib/util +######## Remove nss-softokn test tools +%{__rm} -rf ./mozilla/security/nss/cmd/bltest +%{__rm} -rf ./mozilla/security/nss/cmd/fipstest +%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low ##### phase 2: build the rest of nss # nss supports pluggable ecc @@ -264,23 +288,12 @@ export NSS_ENABLE_ECC NSS_ECC_MORE_THAN_SUITE_B=1 export NSS_ECC_MORE_THAN_SUITE_B -# We only ship the nss proper libraries, no softoken nor util, yet -# we must compile with the entire source tree because nss needs -# private exports from util. The install section will ensure not -# to override nss-util and nss-softoken headers already installed. -# export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm %{__make} -C ./nss unset NSS_BLTEST_NOT_AVAILABLE -##### phase 3: build bltest and fipstest -tar xf build_these_later.tar -unset NSS_ENABLE_ECC; %{__make} -C ./nss/cmd/bltest -unset NSS_ENABLE_ECC; %{__make} -C ./nss/cmd/fipstest -%{__rm} -f build_these_later.tar - # Set up our package file # The nspr_version and nss_{util|softokn}_version globals used # here match the ones nss has for its Requires. @@ -340,6 +353,9 @@ export USE_64 export NSS_BLTEST_NOT_AVAILABLE=1 +# needed for the fips manging test +export SOFTOKEN_LIB_DIR=%{_libdir} + # End -- copied from the build section # enable the following line to force a test failure @@ -477,49 +493,6 @@ done # Copy the pkcs #11 configuration script %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh -#remove the nss-util-devel headers -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/base64.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/ciferfam.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssb64.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssb64t.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslocks.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssilock.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssilckt.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssrwlk.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssrwlkt.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nssutil.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11f.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11n.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11p.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11t.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/pkcs11u.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/portreg.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secasn1.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secasn1t.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/seccomon.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secder.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secdert.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secdig.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secdigt.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secerr.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secitem.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secoid.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secoidt.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/secport.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/utilrename.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/utilmodt.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/utilpars.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/utilparst.h - -#remove headers shipped nss-softokn-devel and nss-softokn-freebl-devel -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/alghmac.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/blapit.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/ecl-exp.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/hasht.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/shsign.h -rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h - %clean %{__rm} -rf $RPM_BUILD_ROOT @@ -694,6 +667,10 @@ fi %changelog +* Tue Jun 18 2013 emaldona - 3.15-4 +- Build nss without softoken or util sources in the tree +- Resolves: rhbz#689918 + * Mon Jun 17 2013 emaldona - 3.15-3 - Update ssl-cbc-random-iv-by-default.patch diff --git a/utilwrap-include-templates.patch b/utilwrap-include-templates.patch index 4f468f4..649b548 100644 --- a/utilwrap-include-templates.patch +++ b/utilwrap-include-templates.patch @@ -1,17 +1,13 @@ -Index: ./nss/lib/nss/config.mk -=================================================================== -RCS file: /cvsroot/nss/lib/nss/config.mk,v -retrieving revision 1.37 -diff -u -p -r1.37 config.mk ---- ./nss/lib/nss/config.mk 25 Apr 2012 14:50:03 -0000 1.37 -+++ ./nss/lib/nss/config.mk 7 Feb 2013 02:22:58 -0000 +diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk +--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 ++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 @@ -3,6 +3,10 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) +INCLUDES += -I/usr/include/nss3/templates -+endif ++#endif + # can't do this in manifest.mn because OS_TARGET isn't defined there. ifeq (,$(filter-out WIN%,$(OS_TARGET)))