up to 3.52.1 (fixes CVE-2020-12399)

[packages/nss.git] / nss.spec

%define nspr_ver        1:4.25
%define foover  %(echo %{version} | tr . _)
Summary:        NSS - Network Security Services
Summary(pl.UTF-8):      NSS - Network Security Services
Name:           nss
Version:        3.52.1
Release:        1
Epoch:          1
License:        MPL v2.0
Group:          Libraries
Source0:        http://ftp.mozilla.org/pub/security/nss/releases/NSS_%{foover}_RTM/src/%{name}-%{version}.tar.gz
# Source0-md5:  8b2ef922d39951c300cf9bec4eb6aa97
Source1:        %{name}-mozilla-nss.pc
Source2:        %{name}-config.in
Source3:        http://www.cacert.org/certs/root.der
# Source3-md5:  a61b375e390d9c3654eebd2031461f6b
Source4:        nss-softokn.pc.in
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
URL:            https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
BuildRequires:  nspr-devel >= %{nspr_ver}
BuildRequires:  nss-tools
BuildRequires:  perl-base
BuildRequires:  sqlite3-devel
BuildRequires:  zlib-devel
BuildConflicts: mozilla < 0.9.6-3
Requires:       %{name}-softokn-freebl = %{epoch}:%{version}-%{release}
Requires:       nspr >= %{nspr_ver}
Obsoletes:      libnss3
# needs http2 code update: https://bugzilla.mozilla.org/show_bug.cgi?id=1323209
Conflicts:      firefox < 50.1.0-2
Conflicts:      iceape < 2.46-1
Conflicts:      iceweasel < 51
Conflicts:      mozilla-firefox < 51
Conflicts:      seamonkey < 2.47
BuildRoot:      %{tmpdir}/%{name}-%{version}-root-%(id -u -n)

%define         specflags       -fno-strict-aliasing
# signed -  stripped before signing
%define         _noautostrip    .*%{_libdir}/libfreebl3.so\\|.*%{_libdir}/libsoftokn3.so
%define         _noautochrpath  .*%{_libdir}/libfreebl3.so\\|.*%{_libdir}/libsoftokn3.so

%description
NSS supports cross-platform development of security-enabled server
applications. Applications built with NSS can support PKCS #5,
PKCS #7, PKCS #11, PKCS #12, S/MIME, TLS, SSL v2 and v3, X.509 v3
certificates, and other security standards.

%description -l pl.UTF-8
NSS wspomaga pisanie wieloplatformowych bezpiecznych serwerów.
Aplikacja używająca NSS jest w stanie obsłużyć PKCS #5, PKCS #7,
PKCS #11, PKCS #12, S/MIME, TLS, SSL v2 oraz v3, certyfikaty X.509 v3,
i wiele innych bezpiecznych standardów.

%package tools
Summary:        NSS command line tools and utilities
Summary(pl.UTF-8):      Narzędzia NSS obsługiwane z linii poleceń
Group:          Applications
Requires:       %{name} = %{epoch}:%{version}-%{release}

%description tools
The NSS Toolkit command line tool.

%description tools -l pl.UTF-8
Narzędzia NSS obsługiwane z linii poleceń.

%package devel
Summary:        NSS - header files
Summary(pl.UTF-8):      NSS - pliki nagłówkowe
Group:          Development/Libraries
Requires:       %{name} = %{epoch}:%{version}-%{release}
Requires:       nspr-devel >= %{nspr_ver}
Obsoletes:      libnss3-devel

%description devel
Development part of NSS library.

%description devel -l pl.UTF-8
Część biblioteki NSS przeznaczona dla programistów.

%package static
Summary:        NSS - static library
Summary(pl.UTF-8):      NSS - biblioteka statyczna
Group:          Development/Libraries
Requires:       %{name}-devel = %{epoch}:%{version}-%{release}

%description static
Static NSS Toolkit libraries.

%description static -l pl.UTF-8
Statyczne wersje bibliotek z NSS.

%package softokn-freebl
Summary:        Freebl library for the Network Security Services
Summary(pl.UTF-8):      Biblioteka freebl dla bibliotek NSS
Group:          Libraries

%description softokn-freebl
Freebl cryptographic library for the Network Security Services.

%description softokn-freebl -l pl.UTF-8
Biblioteka kryptograficzna freebl dla bibliotek NSS.

%prep
%setup -q

%if 0%{!?debug:1}
# strip before signing
%{__sed} -i -e '/export ADDON_PATH$/a\    echo STRIP \; %{__strip} --strip-unneeded -R.comment -R.note ${5}' nss/cmd/shlibsign/sign.sh
%endif

%build
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < %{SOURCE3} >> nss/lib/ckfw/builtins/certdata.txt

%ifarch %{x8664} ppc64 sparc64 aarch64
export USE_64=1
%endif

# http://pki.fedoraproject.org/wiki/ECC_Capable_NSS
for dir in ecc noecc; do
        install -d $dir
        cp -a nss $dir/nss
done

export BUILD_OPT=1
export MOZILLA_CLIENT=1
export NSDISTMODE=copy
export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSS_USE_SYSTEM_SQLITE=1
export USE_PTHREADS=1
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS="-lz"
%ifarch x32
export USE_X32=1
%endif

# https://bugzilla.mozilla.org/show_bug.cgi?id=1084623

# Forcing ecc with this hack would produce broken librares (softoken, freebl etc).
# Thus we also build noecc version (which doesn't require hack) and use these
# libs from there.
%{__sed} -i -e 's|#error|//error|g' ecc/nss/lib/freebl/ecl/ecl-curve.h
%{__make} -j1 -C ecc/nss \
        NSS_ECC_MORE_THAN_SUITE_B=1 \
        CC="%{__cc}" \
        OPTIMIZER="%{rpmcflags} %{rpmcppflags}" \

%{__make} -j1 -C noecc/nss \
        CC="%{__cc}" \
        OPTIMIZER="%{rpmcflags} %{rpmcppflags}"

%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_bindir},%{_mandir}/man1,%{_includedir}/nss,/%{_lib},%{_libdir},%{_pkgconfigdir}}

cp -p ecc/dist/private/nss/*    $RPM_BUILD_ROOT%{_includedir}/nss
cp -p ecc/dist/public/dbm/*     $RPM_BUILD_ROOT%{_includedir}/nss
cp -p ecc/dist/public/nss/*     $RPM_BUILD_ROOT%{_includedir}/nss
install -p ecc/dist/Linux*/bin/*        $RPM_BUILD_ROOT%{_bindir}
install -p ecc/dist/Linux*/lib/*        $RPM_BUILD_ROOT%{_libdir}

# non-ECC version, we need only libnssdbm3, libsoftokn3, libfreebl3
install -p noecc/dist/Linux*/lib/libnssdbm3.*   $RPM_BUILD_ROOT%{_libdir}
install -p noecc/dist/Linux*/lib/libsoftokn3.*  $RPM_BUILD_ROOT%{_libdir}
install -p noecc/dist/Linux*/lib/libfreebl3.*   $RPM_BUILD_ROOT%{_libdir}

cp -p nss/doc/nroff/*.1         $RPM_BUILD_ROOT%{_mandir}/man1

%{__sed} -e '
        s#libdir=.*#libdir=%{_libdir}#g
        s#includedir=.*#includedir=%{_includedir}#g
        s#VERSION#%{version}#g
' %{SOURCE1} > $RPM_BUILD_ROOT%{_pkgconfigdir}/nss.pc
# compatibility symlink
ln -s nss.pc $RPM_BUILD_ROOT%{_pkgconfigdir}/mozilla-nss.pc

cat %{SOURCE4} | \
sed -e "s,%%libdir%%,%{_libdir},g" \
        -e "s,%%prefix%%,%{_prefix},g" \
        -e "s,%%exec_prefix%%,%{_prefix},g" \
        -e "s,%%includedir%%,%{_includedir}/nss,g" \
        -e "s,%%NSPR_VERSION%%,$(echo %{nspr_ver} | sed -e 's#.*:##g'),g" \
        -e "s,%%NSS_VERSION%%,%{version},g" \
        -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
        $RPM_BUILD_ROOT%{_pkgconfigdir}/nss-softokn.pc

NSS_VMAJOR=$(awk '/#define.*NSS_VMAJOR/ {print $3}' nss/lib/nss/nss.h)
NSS_VMINOR=$(awk '/#define.*NSS_VMINOR/ {print $3}' nss/lib/nss/nss.h)
NSS_VPATCH=$(awk '/#define.*NSS_VPATCH/ {print $3}' nss/lib/nss/nss.h)
%{__sed} -e "
        s,@libdir@,%{_libdir},g
        s,@prefix@,%{_prefix},g
        s,@exec_prefix@,%{_prefix},g
        s,@includedir@,%{_includedir}/nss,g
        s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g
        s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g
        s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g
" %{SOURCE2} > $RPM_BUILD_ROOT%{_bindir}/nss-config
chmod +x $RPM_BUILD_ROOT%{_bindir}/nss-config

%{__mv} $RPM_BUILD_ROOT%{_libdir}/libfreebl3.so $RPM_BUILD_ROOT/%{_lib}
ln -s /%{_lib}/libfreebl3.so $RPM_BUILD_ROOT%{_libdir}/libfreebl3.so
%{__mv} $RPM_BUILD_ROOT%{_libdir}/libfreebl3.chk $RPM_BUILD_ROOT/%{_lib}
ln -s /%{_lib}/libfreebl3.chk $RPM_BUILD_ROOT%{_libdir}/libfreebl3.chk
%{__mv} $RPM_BUILD_ROOT%{_libdir}/libfreeblpriv3.so $RPM_BUILD_ROOT/%{_lib}
ln -s /%{_lib}/libfreeblpriv3.so $RPM_BUILD_ROOT%{_libdir}/libfreeblpriv3.so
%{__mv} $RPM_BUILD_ROOT%{_libdir}/libfreeblpriv3.chk $RPM_BUILD_ROOT/%{_lib}
ln -s /%{_lib}/libfreeblpriv3.chk $RPM_BUILD_ROOT%{_libdir}/libfreeblpriv3.chk

# conflict with openssl-static
%{__mv} $RPM_BUILD_ROOT%{_libdir}/libssl{,3}.a

# unit tests
%{__rm} $RPM_BUILD_ROOT%{_bindir}/{certdb,certhigh,cryptohi,der,pk11,softoken,smime,ssl,util}_gtest
%{__rm} $RPM_BUILD_ROOT%{_bindir}/fbectest
%{__rm} $RPM_BUILD_ROOT%{_bindir}/nss_bogo_shim
%{__rm} $RPM_BUILD_ROOT%{_bindir}/pk11ectest
%{__rm} $RPM_BUILD_ROOT%{_bindir}/pk11importtest
%{__rm} $RPM_BUILD_ROOT%{_bindir}/rsapoptst
%{__rm} $RPM_BUILD_ROOT%{_libdir}/libgtest*
%{__rm} $RPM_BUILD_ROOT%{_libdir}/libnss*-testlib.so
%{__rm} $RPM_BUILD_ROOT%{_libdir}/libpkcs11testmodule.*

if [ ! -f "$RPM_BUILD_ROOT%{_includedir}/nss/nsslowhash.h" ]; then
        echo >&2 "ERROR: %{_includedir}/nss/nsslowhash.h not installed. Needed by glibc"
        exit 1
fi

%clean
rm -rf $RPM_BUILD_ROOT

%post   -p /sbin/ldconfig
%postun -p /sbin/ldconfig

%files
%defattr(644,root,root,755)
# COPYING beside MPL v2.0 text contains GPL/LGPL compatibility notes
%doc nss/{COPYING,trademarks.txt}
%attr(755,root,root) %{_libdir}/libfreebl3.so
%attr(755,root,root) %{_libdir}/libfreeblpriv3.so
%attr(755,root,root) %{_libdir}/libnss3.so
%attr(755,root,root) %{_libdir}/libnssckbi.so
%attr(755,root,root) %{_libdir}/libnssdbm3.so
%attr(755,root,root) %{_libdir}/libnssutil3.so
%attr(755,root,root) %{_libdir}/libsmime3.so
%attr(755,root,root) %{_libdir}/libsoftokn3.so
%attr(755,root,root) %{_libdir}/libssl3.so
%{_libdir}/libfreebl3.chk
%{_libdir}/libfreeblpriv3.chk
%{_libdir}/libnssdbm3.chk
%{_libdir}/libsoftokn3.chk

%files devel
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/nss-config
%{_libdir}/libcpputil.a
%{_libdir}/libcrmf.a
%{_libdir}/libfreebl.a
%{_includedir}/nss
%{_pkgconfigdir}/mozilla-nss.pc
%{_pkgconfigdir}/nss.pc
%{_pkgconfigdir}/nss-softokn.pc

%files tools
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/addbuiltin
%attr(755,root,root) %{_bindir}/atob
%attr(755,root,root) %{_bindir}/baddbdir
%attr(755,root,root) %{_bindir}/bltest
%attr(755,root,root) %{_bindir}/btoa
%attr(755,root,root) %{_bindir}/certutil
%attr(755,root,root) %{_bindir}/chktest
%attr(755,root,root) %{_bindir}/cmsutil
%attr(755,root,root) %{_bindir}/conflict
%attr(755,root,root) %{_bindir}/crlutil
%attr(755,root,root) %{_bindir}/crmftest
%attr(755,root,root) %{_bindir}/dbtest
%attr(755,root,root) %{_bindir}/derdump
%attr(755,root,root) %{_bindir}/dertimetest
%attr(755,root,root) %{_bindir}/digest
%attr(755,root,root) %{_bindir}/ecperf
%attr(755,root,root) %{_bindir}/encodeinttest
%attr(755,root,root) %{_bindir}/fipstest
%attr(755,root,root) %{_bindir}/httpserv
%attr(755,root,root) %{_bindir}/listsuites
%attr(755,root,root) %{_bindir}/lowhashtest
%attr(755,root,root) %{_bindir}/makepqg
%attr(755,root,root) %{_bindir}/mangle
%attr(755,root,root) %{_bindir}/modutil
%attr(755,root,root) %{_bindir}/multinit
%attr(755,root,root) %{_bindir}/nonspr10
%attr(755,root,root) %{_bindir}/nss-policy-check
%attr(755,root,root) %{_bindir}/ocspclnt
%attr(755,root,root) %{_bindir}/ocspresp
%attr(755,root,root) %{_bindir}/oidcalc
%attr(755,root,root) %{_bindir}/p7content
%attr(755,root,root) %{_bindir}/p7env
%attr(755,root,root) %{_bindir}/p7sign
%attr(755,root,root) %{_bindir}/p7verify
%attr(755,root,root) %{_bindir}/pk11gcmtest
%attr(755,root,root) %{_bindir}/pk11mode
%attr(755,root,root) %{_bindir}/pk12util
%attr(755,root,root) %{_bindir}/pk1sign
%attr(755,root,root) %{_bindir}/pkix-errcodes
%attr(755,root,root) %{_bindir}/pp
%attr(755,root,root) %{_bindir}/pwdecrypt
%attr(755,root,root) %{_bindir}/remtest
%attr(755,root,root) %{_bindir}/rsaperf
%attr(755,root,root) %{_bindir}/sdrtest
%attr(755,root,root) %{_bindir}/secmodtest
%attr(755,root,root) %{_bindir}/selfserv
%attr(755,root,root) %{_bindir}/shlibsign
%attr(755,root,root) %{_bindir}/signtool
%attr(755,root,root) %{_bindir}/signver
%attr(755,root,root) %{_bindir}/ssltap
%attr(755,root,root) %{_bindir}/strsclnt
%attr(755,root,root) %{_bindir}/symkeyutil
%attr(755,root,root) %{_bindir}/tstclnt
%attr(755,root,root) %{_bindir}/vfychain
%attr(755,root,root) %{_bindir}/vfyserv
%{_mandir}/man1/certutil.1*
%{_mandir}/man1/cmsutil.1*
%{_mandir}/man1/crlutil.1*
%{_mandir}/man1/derdump.1*
%{_mandir}/man1/modutil.1*
%{_mandir}/man1/pk12util.1*
%{_mandir}/man1/pp.1*
%{_mandir}/man1/signtool.1*
%{_mandir}/man1/signver.1*
%{_mandir}/man1/ssltap.1*
%{_mandir}/man1/vfychain.1*
%{_mandir}/man1/vfyserv.1*

%files static
%defattr(644,root,root,755)
%{_libdir}/libcertdb.a
%{_libdir}/libcerthi.a
%{_libdir}/libcryptohi.a
%{_libdir}/libdbm.a
%{_libdir}/libjar.a
%{_libdir}/libnss.a
%{_libdir}/libnssb.a
%{_libdir}/libnssckfw.a
%{_libdir}/libnssdbm.a
%{_libdir}/libnssdev.a
%{_libdir}/libnsspki.a
%{_libdir}/libnssutil.a
%{_libdir}/libpk11wrap.a
%{_libdir}/libpkcs12.a
%{_libdir}/libpkcs7.a
%{_libdir}/libpkixcertsel.a
%{_libdir}/libpkixchecker.a
%{_libdir}/libpkixcrlsel.a
%{_libdir}/libpkixmodule.a
%{_libdir}/libpkixparams.a
%{_libdir}/libpkixpki.a
%{_libdir}/libpkixresults.a
%{_libdir}/libpkixstore.a
%{_libdir}/libpkixsystem.a
%{_libdir}/libpkixtop.a
%{_libdir}/libpkixutil.a
%{_libdir}/libsectool.a
%{_libdir}/libsmime.a
%{_libdir}/libsoftokn.a
%{_libdir}/libssl3.a

%files softokn-freebl
%defattr(644,root,root,755)
%attr(755,root,root) /%{_lib}/libfreebl3.so
%attr(755,root,root) /%{_lib}/libfreeblpriv3.so
/%{_lib}/libfreebl3.chk
/%{_lib}/libfreeblpriv3.chk