Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/
Date: Wed, 30 Jan 2019 21:27:41
Message-Id: 1548883639.1bbde33e03e34eb417cacb7509dbc7083b599ce5.whissi@gentoo
1 commit: 1bbde33e03e34eb417cacb7509dbc7083b599ce5
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 30 21:27:19 2019 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 30 21:27:19 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bbde33e
7
8 dev-libs/nss: security cleanup
9
10 Package-Manager: Portage-2.3.58, Repoman-2.3.12
11 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13 dev-libs/nss/Manifest | 1 -
14 dev-libs/nss/nss-3.40.1.ebuild | 371 ---------------------------------------
15 dev-libs/nss/nss-3.41-r1.ebuild | 373 ----------------------------------------
16 3 files changed, 745 deletions(-)
17
18 diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
19 index 3437d83ccf8..2fd800019fc 100644
20 --- a/dev-libs/nss/Manifest
21 +++ b/dev-libs/nss/Manifest
22 @@ -1,5 +1,4 @@
23 DIST nss-3.40.1.tar.gz 23311074 BLAKE2B 9cd723e983a3f70748b0734bb2a6cc1ddfa280f1c167c3b1b371a58900fb3d9b3bf3482293bb8614d39ffb538bcca815a2aedbe03d2d643731817452f82bc2ca SHA512 464ae843161e8deb911975d2117e8bf1194a968689b4ce70f9a12d5a33dba7ddd69f1248ec45244139c30fcc87678b206a4e124f032b26ead8bf894e4e8d0564
24 -DIST nss-3.41.tar.gz 23319563 BLAKE2B 76636b704cd572f9b840c7699c29697a4a882e66afcc3895ceb7b59a7af7af2513074e1abc6a028a13126d44e0cf722ab29e52a4c69640a2247814292efa282d SHA512 b5a43fe86ded664002fd714c493d9222a64539cd6139b64720625d1742fec5100712cbe401c90c79196e9cbad9ec07d9b4f0f517ce34e4b207beaa3e01c9e114
25 DIST nss-3.42.tar.gz 23416008 BLAKE2B 4aaf31fbc13b57ef438cfd8ee0c42a681af6939c707a51a25cb551c120221a5b37b1471926e75920dc2a53466d2f47599973b6f53175d7e952b49527bf3f34a6 SHA512 ad22f4b2672b4f29c7dd5544cbb642d3ec4b451137ffde4f608ff7b9826c762caa885f4802e1df291d2067a291aae9ffa1cf7298af96e1c6afa019fc7c3935bd
26 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
27 DIST nss-pem-20160329.tar.xz 27732 BLAKE2B 7c23133a7bfb969d8eac98fb6311e76ab60c5d6601c7329f3c492da30c017e66d64a1f8bc827dd36e52e65c1a1ec02b58816442aaf410345c5ed759a02264b84 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2
28
29 diff --git a/dev-libs/nss/nss-3.40.1.ebuild b/dev-libs/nss/nss-3.40.1.ebuild
30 deleted file mode 100644
31 index 02de23a58d2..00000000000
32 --- a/dev-libs/nss/nss-3.40.1.ebuild
33 +++ /dev/null
34 @@ -1,371 +0,0 @@
35 -# Copyright 1999-2019 Gentoo Authors
36 -# Distributed under the terms of the GNU General Public License v2
37 -
38 -EAPI=7
39 -
40 -inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
41 -
42 -NSPR_VER="4.16"
43 -RTM_NAME="NSS_${PV//./_}_RTM"
44 -# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
45 -PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
46 -PEM_P="${PN}-pem-20160329"
47 -
48 -DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
49 -HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
50 -SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
51 - cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
52 - nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
53 -
54 -LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
55 -SLOT="0"
56 -KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
57 -IUSE="cacert +nss-pem utils"
58 -CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
59 - >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
60 -DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
61 - >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
62 - ${CDEPEND}"
63 -RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
64 - ${CDEPEND}
65 -"
66 -
67 -RESTRICT="test"
68 -
69 -S="${WORKDIR}/${P}/${PN}"
70 -
71 -MULTILIB_CHOST_TOOLS=(
72 - /usr/bin/nss-config
73 -)
74 -
75 -PATCHES=(
76 - # Custom changes for gentoo
77 - "${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
78 - "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
79 - "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
80 -)
81 -
82 -src_unpack() {
83 - unpack ${A}
84 - if use nss-pem ; then
85 - mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
86 - fi
87 -}
88 -
89 -src_prepare() {
90 - if use nss-pem ; then
91 - PATCHES+=(
92 - "${FILESDIR}/${PN}-3.21-enable-pem.patch"
93 - )
94 - fi
95 - if use cacert ; then #521462
96 - PATCHES+=(
97 - "${DISTDIR}/${PN}-cacert-class1-class3.patch"
98 - )
99 - fi
100 -
101 - default
102 -
103 - pushd coreconf >/dev/null || die
104 - # hack nspr paths
105 - echo 'INCLUDES += -I$(DIST)/include/dbm' \
106 - >> headers.mk || die "failed to append include"
107 -
108 - # modify install path
109 - sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
110 - -i source.mk || die
111 -
112 - # Respect LDFLAGS
113 - sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
114 - popd >/dev/null || die
115 -
116 - # Fix pkgconfig file for Prefix
117 - sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
118 - config/Makefile || die
119 -
120 - # use host shlibsign if need be #436216
121 - if tc-is-cross-compiler ; then
122 - sed -i \
123 - -e 's:"${2}"/shlibsign:shlibsign:' \
124 - cmd/shlibsign/sign.sh || die
125 - fi
126 -
127 - # dirty hack
128 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
129 - lib/ssl/config.mk || die
130 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
131 - cmd/platlibs.mk || die
132 -
133 - multilib_copy_sources
134 -
135 - strip-flags
136 -}
137 -
138 -multilib_src_configure() {
139 - # Ensure we stay multilib aware
140 - sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
141 -}
142 -
143 -nssarch() {
144 - # Most of the arches are the same as $ARCH
145 - local t=${1:-${CHOST}}
146 - case ${t} in
147 - aarch64*)echo "aarch64";;
148 - hppa*) echo "parisc";;
149 - i?86*) echo "i686";;
150 - x86_64*) echo "x86_64";;
151 - *) tc-arch ${t};;
152 - esac
153 -}
154 -
155 -nssbits() {
156 - local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
157 - if [[ ${1} == BUILD_ ]]; then
158 - cc=$(tc-getBUILD_CC)
159 - else
160 - cc=$(tc-getCC)
161 - fi
162 - echo > "${T}"/test.c || die
163 - ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
164 - case $(file "${T}/${1}test.o") in
165 - *32-bit*x86-64*) echo USE_X32=1;;
166 - *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
167 - *32-bit*|*ppc*|*i386*) ;;
168 - *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
169 - esac
170 -}
171 -
172 -multilib_src_compile() {
173 - # use ABI to determine bit'ness, or fallback if unset
174 - local buildbits mybits
175 - case "${ABI}" in
176 - n32) mybits="USE_N32=1";;
177 - x32) mybits="USE_X32=1";;
178 - s390x|*64) mybits="USE_64=1";;
179 - ${DEFAULT_ABI})
180 - einfo "Running compilation test to determine bit'ness"
181 - mybits=$(nssbits)
182 - ;;
183 - esac
184 - # bitness of host may differ from target
185 - if tc-is-cross-compiler; then
186 - buildbits=$(nssbits BUILD_)
187 - fi
188 -
189 - local makeargs=(
190 - CC="$(tc-getCC)"
191 - CCC="$(tc-getCXX)"
192 - AR="$(tc-getAR) rc \$@"
193 - RANLIB="$(tc-getRANLIB)"
194 - OPTIMIZER=
195 - ${mybits}
196 - )
197 -
198 - # Take care of nspr settings #436216
199 - local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
200 - unset NSPR_INCLUDE_DIR
201 -
202 - # Do not let `uname` be used.
203 - if use kernel_linux ; then
204 - makeargs+=(
205 - OS_TARGET=Linux
206 - OS_RELEASE=2.6
207 - OS_TEST="$(nssarch)"
208 - )
209 - fi
210 -
211 - export NSS_ENABLE_WERROR=0 #567158
212 - export BUILD_OPT=1
213 - export NSS_USE_SYSTEM_SQLITE=1
214 - export NSDISTMODE=copy
215 - export NSS_ENABLE_ECC=1
216 - export FREEBL_NO_DEPEND=1
217 - export ASFLAGS=""
218 -
219 - local d
220 -
221 - # Build the host tools first.
222 - LDFLAGS="${BUILD_LDFLAGS}" \
223 - XCFLAGS="${BUILD_CFLAGS}" \
224 - NSPR_LIB_DIR="${T}/fakedir" \
225 - emake -j1 -C coreconf \
226 - CC="$(tc-getBUILD_CC)" \
227 - ${buildbits:-${mybits}}
228 - makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
229 -
230 - # Then build the target tools.
231 - for d in . lib/dbm ; do
232 - CPPFLAGS="${myCPPFLAGS}" \
233 - XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
234 - NSPR_LIB_DIR="${T}/fakedir" \
235 - emake -j1 "${makeargs[@]}" -C ${d}
236 - done
237 -}
238 -
239 -# Altering these 3 libraries breaks the CHK verification.
240 -# All of the following cause it to break:
241 -# - stripping
242 -# - prelink
243 -# - ELF signing
244 -# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
245 -# Either we have to NOT strip them, or we have to forcibly resign after
246 -# stripping.
247 -#local_libdir="$(get_libdir)"
248 -#export STRIP_MASK="
249 -# */${local_libdir}/libfreebl3.so*
250 -# */${local_libdir}/libnssdbm3.so*
251 -# */${local_libdir}/libsoftokn3.so*"
252 -
253 -export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
254 -
255 -generate_chk() {
256 - local shlibsign="$1"
257 - local libdir="$2"
258 - einfo "Resigning core NSS libraries for FIPS validation"
259 - shift 2
260 - local i
261 - for i in ${NSS_CHK_SIGN_LIBS} ; do
262 - local libname=lib${i}.so
263 - local chkname=lib${i}.chk
264 - "${shlibsign}" \
265 - -i "${libdir}"/${libname} \
266 - -o "${libdir}"/${chkname}.tmp \
267 - && mv -f \
268 - "${libdir}"/${chkname}.tmp \
269 - "${libdir}"/${chkname} \
270 - || die "Failed to sign ${libname}"
271 - done
272 -}
273 -
274 -cleanup_chk() {
275 - local libdir="$1"
276 - shift 1
277 - local i
278 - for i in ${NSS_CHK_SIGN_LIBS} ; do
279 - local libfname="${libdir}/lib${i}.so"
280 - # If the major version has changed, then we have old chk files.
281 - [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
282 - && rm -f "${libfname}.chk"
283 - done
284 -}
285 -
286 -multilib_src_install() {
287 - pushd dist >/dev/null || die
288 -
289 - dodir /usr/$(get_libdir)
290 - cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
291 - local i
292 - for i in crmf freebl nssb nssckfw ; do
293 - cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
294 - done
295 -
296 - # Install nss-config and pkgconfig file
297 - dodir /usr/bin
298 - cp -L */bin/nss-config "${ED%/}"/usr/bin || die
299 - dodir /usr/$(get_libdir)/pkgconfig
300 - cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
301 -
302 - # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
303 - # bug 517266
304 - sed -e 's#Libs:#Libs: -lfreebl#' \
305 - -e 's#Cflags:#Cflags: -I${includedir}/private#' \
306 - */lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
307 - || die "could not create nss-softokn.pc"
308 -
309 - # all the include files
310 - insinto /usr/include/nss
311 - doins public/nss/*.{h,api}
312 - insinto /usr/include/nss/private
313 - doins private/nss/{blapi,alghmac}.h
314 -
315 - popd >/dev/null || die
316 -
317 - local f nssutils
318 - # Always enabled because we need it for chk generation.
319 - nssutils=( shlibsign )
320 -
321 - if multilib_is_native_abi ; then
322 - if use utils; then
323 - # The tests we do not need to install.
324 - #nssutils_test="bltest crmftest dbtest dertimetest
325 - #fipstest remtest sdrtest"
326 - # checkcert utils has been removed in nss-3.22:
327 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
328 - # https://hg.mozilla.org/projects/nss/rev/df1729d37870
329 - # certcgi has been removed in nss-3.36:
330 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
331 - nssutils+=(
332 - addbuiltin
333 - atob
334 - baddbdir
335 - btoa
336 - certutil
337 - cmsutil
338 - conflict
339 - crlutil
340 - derdump
341 - digest
342 - makepqg
343 - mangle
344 - modutil
345 - multinit
346 - nonspr10
347 - ocspclnt
348 - oidcalc
349 - p7content
350 - p7env
351 - p7sign
352 - p7verify
353 - pk11mode
354 - pk12util
355 - pp
356 - rsaperf
357 - selfserv
358 - signtool
359 - signver
360 - ssltap
361 - strsclnt
362 - symkeyutil
363 - tstclnt
364 - vfychain
365 - vfyserv
366 - )
367 - # install man-pages for utils (bug #516810)
368 - doman doc/nroff/*.1
369 - fi
370 - pushd dist/*/bin >/dev/null || die
371 - for f in ${nssutils[@]}; do
372 - dobin ${f}
373 - done
374 - popd >/dev/null || die
375 - fi
376 -
377 - # Prelink breaks the CHK files. We don't have any reliable way to run
378 - # shlibsign after prelink.
379 - dodir /etc/prelink.conf.d
380 - printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
381 - > "${ED%/}"/etc/prelink.conf.d/nss.conf
382 -}
383 -
384 -pkg_postinst() {
385 - multilib_pkg_postinst() {
386 - # We must re-sign the libraries AFTER they are stripped.
387 - local shlibsign="${EROOT}/usr/bin/shlibsign"
388 - # See if we can execute it (cross-compiling & such). #436216
389 - "${shlibsign}" -h >&/dev/null
390 - if [[ $? -gt 1 ]] ; then
391 - shlibsign="shlibsign"
392 - fi
393 - generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
394 - }
395 -
396 - multilib_foreach_abi multilib_pkg_postinst
397 -}
398 -
399 -pkg_postrm() {
400 - multilib_pkg_postrm() {
401 - cleanup_chk "${EROOT}"/usr/$(get_libdir)
402 - }
403 -
404 - multilib_foreach_abi multilib_pkg_postrm
405 -}
406
407 diff --git a/dev-libs/nss/nss-3.41-r1.ebuild b/dev-libs/nss/nss-3.41-r1.ebuild
408 deleted file mode 100644
409 index 907e54788a6..00000000000
410 --- a/dev-libs/nss/nss-3.41-r1.ebuild
411 +++ /dev/null
412 @@ -1,373 +0,0 @@
413 -# Copyright 1999-2019 Gentoo Authors
414 -# Distributed under the terms of the GNU General Public License v2
415 -
416 -EAPI=7
417 -
418 -inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
419 -
420 -NSPR_VER="4.16"
421 -RTM_NAME="NSS_${PV//./_}_RTM"
422 -# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
423 -PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
424 -PEM_P="${PN}-pem-20160329"
425 -
426 -DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
427 -HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
428 -SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
429 - cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
430 - nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
431 -
432 -LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
433 -SLOT="0"
434 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
435 -IUSE="cacert +nss-pem utils"
436 -CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
437 - >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
438 -DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
439 - >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
440 - ${CDEPEND}"
441 -RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
442 - ${CDEPEND}
443 -"
444 -
445 -RESTRICT="test"
446 -
447 -S="${WORKDIR}/${P}/${PN}"
448 -
449 -MULTILIB_CHOST_TOOLS=(
450 - /usr/bin/nss-config
451 -)
452 -
453 -PATCHES=(
454 - # Custom changes for gentoo
455 - "${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
456 - "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
457 - "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
458 - # fix for bugs ported forward from 3.36.7
459 - "${FILESDIR}/${PN}-3.36.7-fix-cms.patch"
460 -)
461 -
462 -src_unpack() {
463 - unpack ${A}
464 - if use nss-pem ; then
465 - mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
466 - fi
467 -}
468 -
469 -src_prepare() {
470 - if use nss-pem ; then
471 - PATCHES+=(
472 - "${FILESDIR}/${PN}-3.21-enable-pem.patch"
473 - )
474 - fi
475 - if use cacert ; then #521462
476 - PATCHES+=(
477 - "${DISTDIR}/${PN}-cacert-class1-class3.patch"
478 - )
479 - fi
480 -
481 - default
482 -
483 - pushd coreconf >/dev/null || die
484 - # hack nspr paths
485 - echo 'INCLUDES += -I$(DIST)/include/dbm' \
486 - >> headers.mk || die "failed to append include"
487 -
488 - # modify install path
489 - sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
490 - -i source.mk || die
491 -
492 - # Respect LDFLAGS
493 - sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
494 - popd >/dev/null || die
495 -
496 - # Fix pkgconfig file for Prefix
497 - sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
498 - config/Makefile || die
499 -
500 - # use host shlibsign if need be #436216
501 - if tc-is-cross-compiler ; then
502 - sed -i \
503 - -e 's:"${2}"/shlibsign:shlibsign:' \
504 - cmd/shlibsign/sign.sh || die
505 - fi
506 -
507 - # dirty hack
508 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
509 - lib/ssl/config.mk || die
510 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
511 - cmd/platlibs.mk || die
512 -
513 - multilib_copy_sources
514 -
515 - strip-flags
516 -}
517 -
518 -multilib_src_configure() {
519 - # Ensure we stay multilib aware
520 - sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
521 -}
522 -
523 -nssarch() {
524 - # Most of the arches are the same as $ARCH
525 - local t=${1:-${CHOST}}
526 - case ${t} in
527 - aarch64*)echo "aarch64";;
528 - hppa*) echo "parisc";;
529 - i?86*) echo "i686";;
530 - x86_64*) echo "x86_64";;
531 - *) tc-arch ${t};;
532 - esac
533 -}
534 -
535 -nssbits() {
536 - local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
537 - if [[ ${1} == BUILD_ ]]; then
538 - cc=$(tc-getBUILD_CC)
539 - else
540 - cc=$(tc-getCC)
541 - fi
542 - echo > "${T}"/test.c || die
543 - ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
544 - case $(file "${T}/${1}test.o") in
545 - *32-bit*x86-64*) echo USE_X32=1;;
546 - *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
547 - *32-bit*|*ppc*|*i386*) ;;
548 - *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
549 - esac
550 -}
551 -
552 -multilib_src_compile() {
553 - # use ABI to determine bit'ness, or fallback if unset
554 - local buildbits mybits
555 - case "${ABI}" in
556 - n32) mybits="USE_N32=1";;
557 - x32) mybits="USE_X32=1";;
558 - s390x|*64) mybits="USE_64=1";;
559 - ${DEFAULT_ABI})
560 - einfo "Running compilation test to determine bit'ness"
561 - mybits=$(nssbits)
562 - ;;
563 - esac
564 - # bitness of host may differ from target
565 - if tc-is-cross-compiler; then
566 - buildbits=$(nssbits BUILD_)
567 - fi
568 -
569 - local makeargs=(
570 - CC="$(tc-getCC)"
571 - CCC="$(tc-getCXX)"
572 - AR="$(tc-getAR) rc \$@"
573 - RANLIB="$(tc-getRANLIB)"
574 - OPTIMIZER=
575 - ${mybits}
576 - )
577 -
578 - # Take care of nspr settings #436216
579 - local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
580 - unset NSPR_INCLUDE_DIR
581 -
582 - # Do not let `uname` be used.
583 - if use kernel_linux ; then
584 - makeargs+=(
585 - OS_TARGET=Linux
586 - OS_RELEASE=2.6
587 - OS_TEST="$(nssarch)"
588 - )
589 - fi
590 -
591 - export NSS_ENABLE_WERROR=0 #567158
592 - export BUILD_OPT=1
593 - export NSS_USE_SYSTEM_SQLITE=1
594 - export NSDISTMODE=copy
595 - export NSS_ENABLE_ECC=1
596 - export FREEBL_NO_DEPEND=1
597 - export ASFLAGS=""
598 -
599 - local d
600 -
601 - # Build the host tools first.
602 - LDFLAGS="${BUILD_LDFLAGS}" \
603 - XCFLAGS="${BUILD_CFLAGS}" \
604 - NSPR_LIB_DIR="${T}/fakedir" \
605 - emake -j1 -C coreconf \
606 - CC="$(tc-getBUILD_CC)" \
607 - ${buildbits:-${mybits}}
608 - makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
609 -
610 - # Then build the target tools.
611 - for d in . lib/dbm ; do
612 - CPPFLAGS="${myCPPFLAGS}" \
613 - XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
614 - NSPR_LIB_DIR="${T}/fakedir" \
615 - emake -j1 "${makeargs[@]}" -C ${d}
616 - done
617 -}
618 -
619 -# Altering these 3 libraries breaks the CHK verification.
620 -# All of the following cause it to break:
621 -# - stripping
622 -# - prelink
623 -# - ELF signing
624 -# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
625 -# Either we have to NOT strip them, or we have to forcibly resign after
626 -# stripping.
627 -#local_libdir="$(get_libdir)"
628 -#export STRIP_MASK="
629 -# */${local_libdir}/libfreebl3.so*
630 -# */${local_libdir}/libnssdbm3.so*
631 -# */${local_libdir}/libsoftokn3.so*"
632 -
633 -export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
634 -
635 -generate_chk() {
636 - local shlibsign="$1"
637 - local libdir="$2"
638 - einfo "Resigning core NSS libraries for FIPS validation"
639 - shift 2
640 - local i
641 - for i in ${NSS_CHK_SIGN_LIBS} ; do
642 - local libname=lib${i}.so
643 - local chkname=lib${i}.chk
644 - "${shlibsign}" \
645 - -i "${libdir}"/${libname} \
646 - -o "${libdir}"/${chkname}.tmp \
647 - && mv -f \
648 - "${libdir}"/${chkname}.tmp \
649 - "${libdir}"/${chkname} \
650 - || die "Failed to sign ${libname}"
651 - done
652 -}
653 -
654 -cleanup_chk() {
655 - local libdir="$1"
656 - shift 1
657 - local i
658 - for i in ${NSS_CHK_SIGN_LIBS} ; do
659 - local libfname="${libdir}/lib${i}.so"
660 - # If the major version has changed, then we have old chk files.
661 - [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
662 - && rm -f "${libfname}.chk"
663 - done
664 -}
665 -
666 -multilib_src_install() {
667 - pushd dist >/dev/null || die
668 -
669 - dodir /usr/$(get_libdir)
670 - cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
671 - local i
672 - for i in crmf freebl nssb nssckfw ; do
673 - cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
674 - done
675 -
676 - # Install nss-config and pkgconfig file
677 - dodir /usr/bin
678 - cp -L */bin/nss-config "${ED%/}"/usr/bin || die
679 - dodir /usr/$(get_libdir)/pkgconfig
680 - cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
681 -
682 - # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
683 - # bug 517266
684 - sed -e 's#Libs:#Libs: -lfreebl#' \
685 - -e 's#Cflags:#Cflags: -I${includedir}/private#' \
686 - */lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
687 - || die "could not create nss-softokn.pc"
688 -
689 - # all the include files
690 - insinto /usr/include/nss
691 - doins public/nss/*.{h,api}
692 - insinto /usr/include/nss/private
693 - doins private/nss/{blapi,alghmac}.h
694 -
695 - popd >/dev/null || die
696 -
697 - local f nssutils
698 - # Always enabled because we need it for chk generation.
699 - nssutils=( shlibsign )
700 -
701 - if multilib_is_native_abi ; then
702 - if use utils; then
703 - # The tests we do not need to install.
704 - #nssutils_test="bltest crmftest dbtest dertimetest
705 - #fipstest remtest sdrtest"
706 - # checkcert utils has been removed in nss-3.22:
707 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
708 - # https://hg.mozilla.org/projects/nss/rev/df1729d37870
709 - # certcgi has been removed in nss-3.36:
710 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
711 - nssutils+=(
712 - addbuiltin
713 - atob
714 - baddbdir
715 - btoa
716 - certutil
717 - cmsutil
718 - conflict
719 - crlutil
720 - derdump
721 - digest
722 - makepqg
723 - mangle
724 - modutil
725 - multinit
726 - nonspr10
727 - ocspclnt
728 - oidcalc
729 - p7content
730 - p7env
731 - p7sign
732 - p7verify
733 - pk11mode
734 - pk12util
735 - pp
736 - rsaperf
737 - selfserv
738 - signtool
739 - signver
740 - ssltap
741 - strsclnt
742 - symkeyutil
743 - tstclnt
744 - vfychain
745 - vfyserv
746 - )
747 - # install man-pages for utils (bug #516810)
748 - doman doc/nroff/*.1
749 - fi
750 - pushd dist/*/bin >/dev/null || die
751 - for f in ${nssutils[@]}; do
752 - dobin ${f}
753 - done
754 - popd >/dev/null || die
755 - fi
756 -
757 - # Prelink breaks the CHK files. We don't have any reliable way to run
758 - # shlibsign after prelink.
759 - dodir /etc/prelink.conf.d
760 - printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
761 - > "${ED%/}"/etc/prelink.conf.d/nss.conf
762 -}
763 -
764 -pkg_postinst() {
765 - multilib_pkg_postinst() {
766 - # We must re-sign the libraries AFTER they are stripped.
767 - local shlibsign="${EROOT}/usr/bin/shlibsign"
768 - # See if we can execute it (cross-compiling & such). #436216
769 - "${shlibsign}" -h >&/dev/null
770 - if [[ $? -gt 1 ]] ; then
771 - shlibsign="shlibsign"
772 - fi
773 - generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
774 - }
775 -
776 - multilib_foreach_abi multilib_pkg_postinst
777 -}
778 -
779 -pkg_postrm() {
780 - multilib_pkg_postrm() {
781 - cleanup_chk "${EROOT}"/usr/$(get_libdir)
782 - }
783 -
784 - multilib_foreach_abi multilib_pkg_postrm
785 -}
Report Message
Find on MARC Find on Google Groups