diff --git a/nss-disable-freebl-execstack.patch b/nss-disable-freebl-execstack.patch new file mode 100644 index 0000000..60f7fc6 --- /dev/null +++ b/nss-disable-freebl-execstack.patch @@ -0,0 +1,11 @@ +--- softoken-3.12.4.0/mozilla/security/nss/lib/freebl/Makefile-save 2009-04-02 08:46:32.083530732 -0700 ++++ softoken-3.12.4.0/mozilla/security/nss/lib/freebl/Makefile 2009-04-02 08:46:51.740542226 -0700 +@@ -133,7 +133,7 @@ + ifeq ($(OS_TARGET),Linux) + ifeq ($(CPU_ARCH),x86_64) + ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s +- ASFLAGS += -march=opteron -m64 -fPIC ++ ASFLAGS += -march=opteron -m64 -fPIC -Wa,--noexecstack + DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY + DEFINES += -DNSS_USE_COMBA + DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN diff --git a/nss-softokn-config.in b/nss-softokn-config.in new file mode 100644 index 0000000..a403ee2 --- /dev/null +++ b/nss-softokn-config.in @@ -0,0 +1,142 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_ssl=no +lib_smime=no +lib_nss=no +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=no + ;; + smime) + lib_smime=no + ;; + nss) + lib_nss=no + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-softokn-prelink.conf b/nss-softokn-prelink.conf new file mode 100644 index 0000000..bcfef1f --- /dev/null +++ b/nss-softokn-prelink.conf @@ -0,0 +1,2 @@ +-b /lib{,64}/libfreebl3.so +-b /lib{,64}/libsoftokn3.so diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in new file mode 100644 index 0000000..b3c9044 --- /dev/null +++ b/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: SOFTKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION% +Requires: nss-util >= %NSSUTIL_VERSION% +Cflags: -I${includedir} diff --git a/nss-softokn.spec b/nss-softokn.spec new file mode 100644 index 0000000..1cdcac9 --- /dev/null +++ b/nss-softokn.spec @@ -0,0 +1,309 @@ +%global nspr_version 4.8 +%global nss_name nss +%global nssutil_version 3.12.3.99.3 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global saved_files_dir %{_libdir}/nss/saved + +# Produce .chk files for the final stripped binaries +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libnssdbm3.so \ +%{nil} + +Summary: Network Security Services Soktoken Module +Name: nss-softokn +Version: 3.12.3.99.3 +Release: 8%{?dist} +License: MPLv1.1 or GPLv2+ or LGPLv2+ +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-softokn-freebl%{_isa} >= %{version} +Requires: sqlite +Requires: nss-util >= %{nssutil_version} +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl + +Source0: %{name}-%{version}-stripped.tar.bz2 +# The nss-softokn tar ball is a subset of nss-%{version}-stripped.tar.bz2, +# Therefore we use the nss-split-softokn.sh script to keep only what we need. +# Download the nss tarball via CVS from the nss propect and follow these +# steps to make the r tarball for nss-util out of the for nss: +# cvs co nss +# cvs nss-softokn (as soon as it is in cvs - for now extract the srpm) +# cd nss-softokn/devel +# cp ../../nss/devel/${version}-stripped.tar.bz2 . +# (use 3.12.3.99.3 for version above until 3.12.4 comes out) +# sh ./nss-split-softokn.sh ${version} +# A %{name}-%{version}--stripped.tar.bz2 should appear +Source1: nss-split-softokn.sh +Source2: nss-softokn.pc.in +Source3: nss-softokn-config.in +Source4: nss-softokn-prelink.conf + +# patches moved here from nss because they affect softoken only +# won't be needed when we upgrade to 3.12.4 +Patch1: nss-nolocalsql.patch +Patch2: nss-stubs-bug502133.patch + +%description +Network Security Services Softoken Cryptographic Module + +%package freebl +Summary: Freebl library for the Network Security Services +Group: System Environment/Base +Conflicts: nss < 3.12.2.99.3-5 + +%description freebl +Network Security Services Softoken Cryptographic Module Freelb Library. + +Install the nss-softokn-freebl package if you need the freebl +library. + +%package devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Requires: nss-softokn = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{nsutil_version} +Requires: pkgconfig + +%description devel +Header and Library files for doing development with Network Security Services. + + +%prep +%setup -q + +# patches moved here from nss because they affect softokn only +# they won't be needed when we upgrade to 3.12.4 +%patch1 -p0 +%patch2 -p0 -b .502133 + +%build + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Enable compiler optimizations and disable debugging code +BUILD_OPT=1 +export BUILD_OPT + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` +NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'` + +export NSS_INCLUDE_DIR +export NSS_LIB_DIR + + +%ifarch x86_64 ppc64 ia64 s390x sparc64 +USE_64=1 +export USE_64 +%endif + +# Compile softkn plus needed support +%{__make} -C ./mozilla/security/coreconf +%{__make} -C ./mozilla/security/dbm +%{__make} -C ./mozilla/security/nss + +# Set up our package file +%{__mkdir_p} ./mozilla/dist/pkgconfig +%{__cat} %{SOURCE2} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%SOFTKN_VERSION%%,%{version},g" > \ + ./mozilla/dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat mozilla/security/nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat mozilla/security/nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat mozilla/security/nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +export SOFTOKEN_VMAJOR +export SOFTOKEN_VMINOR +export SOFTOKEN_VPATCH + +%{__cat} %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./mozilla/dist/pkgconfig/nss-softokn-config + +chmod 755 ./mozilla/dist/pkgconfig/nss-softokn-config + +# save a copy in a safe place in case there is a preelink install or unistall +%{__cp} -p %{SOURCE4} ./mozilla/dist/pkgconfig/nss-softokn-prelink.conf + +# enable the following line to force a test failure +# find ./mozilla -name \*.chk | xargs rm -f + +# +# We can't run a subset of the tests because the tools have +# dependencies on nss libraries outside of softokn. +# Let's leave this as a place holder. +# + + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_lib} +%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir} + +# Copy the binary libraries we want +for file in libsoftokn3.so libfreebl3.so libnssdbm3.so +do + %{__install} -p -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_lib} + ln -sf ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file +done + +# Make sure chk files can be found in both places +for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk +do + ln -s ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file +done + +# install our prelink configuration file +%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d +%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf +# and stash a copy away in a safe place +%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{saved_files_dir}/nss-softokn-prelink.conf + +# Copy the binaries we ship as unsupported +for file in shlibsign +do + %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in mozilla/dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the package configuration files +%{__install} -p ./mozilla/dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +%{__install} -p ./mozilla/dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + +# Trigger scriptlets to install or remove nss-softokn-prelink.conf +# when prelink is ether installed or removed in the user's system + +# This trigger scriptlet is run when: +# 1) nss-softokn is already installed, and prelink is installed or upgraded +# 2) prelink is already installed, and nss-softokn is installed or upgraded +%triggerin -- prelink +%{__install} -p -m 644 %{saved_files_dir}/nss-softokn-prelink.conf \ + %{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf + +# This trigger scriptlet is run when: +# 1) prelink is installed, and nss-softokn removed +# 2) nss-softokn is installed, and prelink gets removed +%triggerun -- prelink +[ $2 = 0 ] || exit 0 +%{__rm} -f %{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf + + +%post +/sbin/ldconfig >/dev/null 2>/dev/null + +%postun +/sbin/ldconfig >/dev/null 2>/dev/null +[ $1 = 0 ] && rm -f %{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf + + +%files +%defattr(-,root,root) +/%{_lib}/libnssdbm3.so +/%{_lib}/libnssdbm3.chk +/%{_lib}/libsoftokn3.so +/%{_lib}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/shlibsign +%{saved_files_dir}/nss-softokn-prelink.conf +# we don't own %{_sysconfdir}/prelink.conf.d and +# must rely on triggers to install and remove our +# configuration file +%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf + +%files freebl +%defattr(-,root,root) +/%{_lib}/libfreebl3.so +/%{_lib}/libfreebl3.chk + +%files devel +%defattr(-,root,root) +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# mozilla/security/nss/lib/freebl/manifest.mn and +# mozilla/security/nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/sechash.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/shsign.h + +%changelog +* Thu Aug 19 2009 Elio Maldonado 3.12.3.99.3-8 +- Initial build diff --git a/nss-split-softokn.sh b/nss-split-softokn.sh new file mode 100644 index 0000000..390d196 --- /dev/null +++ b/nss-split-softokn.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Splits NSS into nss-util and nss-softokn +# Takes as command line input the version of nss +# and assumes that a file nss-${nss_version}-stripped.tar.bz2 +# exits in the current directory + +set -e + +if test -z $1 +then + echo "usage: $0 nss-version" + exit +fi + +export name=nss +export version=$1 + +echo "Extracting ${name}-${version}-stripped.tar.bz2" + +tar -xjf ${name}-${version}-stripped.tar.bz2 + +# the directory will be named ${name}-${version} + +nss_source_dir=${name}-${version} +softokn_dir=${name}-softokn-${version} + +# make_nss_softokn +#------------------------------------------------- +# create the nss-softokn subset consisting of +# mozilla/dbm --- full directory +# mozilla/security --- top empty +# mozilla/security/coreconf --- full directory +# mozilla/security/nss --- top files only +# mozilla/security/nss/lib --- top files only +# mozilla/security/nss/lib/freebl --- full directory +# mozilla/security/nss/lib/softoken --- full directory +# mozilla/security/nss/lib/softoken/dbm --- full directory +#------------------------------------------------------- + +SOFTOKN_WORK=${softokn_dir}-work +rm -rf ${SOFTOKN_WORK} +mkdir ${SOFTOKN_WORK} + +# copy everything +cp -a ${nss_source_dir} ${SOFTOKN_WORK}/${softokn_dir} + +# remove subdirectories that we don't want +rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd +rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/tests +rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib +rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/pkg +# rstart with an empty lib directory and copy only what we need +mkdir ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib +# copy entire freebl and softoken directories recursively +cp -a ${nss_source_dir}/mozilla/security/nss/lib/freebl ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/freebl +cp -a ${nss_source_dir}/mozilla/security/nss/lib/softoken ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/softoken +cp -a ${nss_source_dir}/mozilla/security/nss/lib/softoken ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/softoken/dbm + +# and some Makefiles and related files +cp ${nss_source_dir}/mozilla/security/nss/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss +cp ${nss_source_dir}/mozilla/security/nss/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss +cp ${nss_source_dir}/mozilla/security/nss/trademarks.txt ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss +cp ${nss_source_dir}/mozilla/security/nss/lib/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib +cp ${nss_source_dir}/mozilla/security/nss/lib/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib + +# we do need shlibsign from cmd +mkdir ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd +# copy some files at the top and the slhlib subdirectory +cp -p ${nss_source_dir}/mozilla/security/nss/cmd/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd +cp -p ${nss_source_dir}/mozilla/security/nss/cmd/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd +cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platlibs.mk ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd +cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platrules.mk ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd + +cp -a ${nss_source_dir}/mozilla/security/nss/cmd/shlibsign ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd/shlibsign + +pushd ${SOFTOKN_WORK} +# the compressed tar ball for nss-softokn +tar -cjf ../${name}-softokn-${version}-stripped.tar.bz2 ${softokn_dir} +popd + +# cleanup after ourselves +rm -fr ${nss_source_dir} +rm -rf ${SOFTOKN_WORK} + + + diff --git a/nss-stubs-bug502133.patch b/nss-stubs-bug502133.patch new file mode 100644 index 0000000..a0f1503 --- /dev/null +++ b/nss-stubs-bug502133.patch @@ -0,0 +1,23 @@ +diff -rupN nss-3.12.3.99.3-orig/mozilla/security/nss/lib/freebl/stubs.c nss-3.12.3.99.3/mozilla/security/nss/lib/freebl/stubs.c +--- ./mozilla/security/nss/lib/freebl/stubs.c 2009-03-28 19:21:50.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/stubs.c 2009-06-08 20:37:20.000000000 -0700 +@@ -558,8 +558,8 @@ FREEBL_InitStubs() + return SECFailure; + } + rv = freebl_InitNSPR(nspr); +- freebl_releaseLibrary(nspr); + if (rv != SECSuccess) { ++ freebl_releaseLibrary(nspr); + return rv; + } + } +@@ -570,8 +570,8 @@ FREEBL_InitStubs() + return SECFailure; + } + rv = freebl_InitNSSUtil(nssutil); +- freebl_releaseLibrary(nssutil); + if (rv != SECSuccess) { ++ freebl_releaseLibrary(nssutil); + return rv; + } + }