#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           apache2-mod_nss
Summary:        SSL/TLS module for the Apache HTTP server
License:        Apache-2.0
Group:          Productivity/Networking/Web/Servers
Version:        1.0.8
Release:        0.4.8
Url:            https://fedorahosted.org/mod_nss
Source:         https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1:        mod_nss.conf.in
Source2:        listen_nss.conf
Source3:        mod_nss_migrate.pl
Source4:        README-SUSE.txt
Source5:        vhost-nss.template
Provides:       mod_nss
Requires:       apache2 >= 2.2.12
Requires:       findutils
Requires:       mozilla-nss >= 3.15.1
PreReq:         mozilla-nss-tools
BuildRequires:  apache2-devel >= 2.2.12
BuildRequires:  bison
BuildRequires:  findutils
BuildRequires:  flex
BuildRequires:  gcc-c++
BuildRequires:  libapr-util1-devel
BuildRequires:  libapr1-devel
BuildRequires:  mozilla-nspr-devel >= 4.6.3
BuildRequires:  mozilla-nss-devel >= 3.15.1
BuildRequires:  mozilla-nss-tools
BuildRequires:  pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
# Fri Nov  8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
#Patch1:         mod_nss-conf.patch
Patch2:         mod_nss-gencert.patch
Patch3:         mod_nss-wouldblock.patch
Patch4:         mod_nss-negotiate.patch
Patch5:         mod_nss-reverseproxy.patch
Patch6:         mod_nss-pcachesignal.h
Patch7:         mod_nss-reseterror.patch
Patch8:         mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9:         mod_nss-httpd24.patch

Patch10:        mod_nss-proxyvariables.patch
Patch11:        mod_nss-tlsv1_1.patch
Patch12:        mod_nss-array_overrun.patch
Patch13:        mod_nss-clientauth.patch
Patch14:        mod_nss-no_shutdown_if_not_init_2.patch
Patch15:        mod_nss-PK11_ListCerts_2.patch
Patch16:        mod_nss-sslmultiproxy.patch
Patch17:        mod_nss-overlapping_memcpy.patch
Patch18:        mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19:        mod_nss-cipherlist_update_for_tls12.diff
Patch20:        mod_nss-cipherlist_update_for_tls12-doc.diff
Patch23:        mod_nss-bnc863518-reopen_dev_tty.diff
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
Patch24:        mod_nss-compare_subject_CN_and_VS_hostname.patch
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
Patch25:        mod_nss-add_support_for_enabling_TLS_v1.2.patch
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
Patch26:        mod_nss-SNI_support.patch

BuildRoot:      %{_tmppath}/%{name}-%{version}-build
%define    apxs /usr/sbin/apxs2
%define    apache apache2
%define    apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define    apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define    apache_includedir %(%{apxs} -q INCLUDEDIR)
%define    apache_serverroot %(%{apxs} -q PREFIX)
%define    apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define    apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d

%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.

%prep
%setup -q -n mod_nss-%{version}
##%patch1 -p1 -b .conf.rpmpatch
%patch2 -p1 -b .gencert.rpmpatch
%patch3 -p1 -b .wouldblock.rpmpatch
%patch4 -p1 -b .negotiate.rpmpatch
%patch5 -p1 -b .reverseproxy.rpmpatch
%patch6 -p1 -b .pcachesignal.h.rpmpatch
%patch7 -p1 -b .reseterror.rpmpatch
%patch8 -p1 -b .lockpcache.rpmpatch
%patch10 -p1 -b .proxyvariables.rpmpatch
%patch11 -p1 -b .tlsv1_1.rpmpatch
%patch12 -p1 -b .array_overrun.rpmpatch
%patch13 -p1 -b .clientauth.rpmpatch
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
%patch16 -p1 -b .sslmultiproxy.rpmpatch
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch

# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif

# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]

%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
# no more patching a config file...
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
#autoreconf -fvi
%configure \
    --with-nss-lib=$NSS_LIB_DIR \
    --with-nss-inc=$NSS_INCLUDE_DIR \
    --with-nspr-lib=$NSPR_LIB_DIR \
    --with-nspr-inc=$NSPR_INCLUDE_DIR \
    --with-apxs=%{apxs} \
    --enable-ecc \
    --with-apr-config
make %{?_smp_mflags} all

%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}

%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif

install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/

#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert

%clean
rm -rf $RPM_BUILD_ROOT

%post
umask 077
if [ "$1" -eq 1 ] ; then
    # this is first time installation.
    if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
        %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
        echo ""
        echo "%{name} certificate database generated."
        echo ""
    fi
    # Make sure that the database ownership is setup properly.
    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
fi
if [ "$1" -eq 2 ]; then
    # this is the upgrade case for this %post:
    if [ -d %{apache_sysconfdir}/alias ]; then
	copied_files=""
	for dbfile in *.db; do
	    if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
		cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
		copied_files="$copied_files $dbfile"
	    fi
	done
	if [ "$copied_files" != "" ]; then
		{
		echo "This notice was written by the post-install script of the package"
		echo "%{name}."
		echo ""
		echo "The files $copied_files"
		echo "have been copied to the directory %{apache_sysconf_nssdir},"
		echo "as this directory is not referenced by the default configuration any longer,"
		echo "and because these files did not exist in %{apache_sysconf_nssdir}."
		echo "Existing files have not been modified."
		echo ""
		echo "Please check your configuration and remove or move your certificate and"
		echo "key storage to your desired place, and adjust your module configuration"
		echo "accordingly."
		echo ""
		echo "Thank you."
		} > %{apache_sysconfdir}/alias/README-dbfiles.txt
	fi
    fi
fi

%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl

%changelog