Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Lars Wendler (polynomial-c)" <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in dev-libs/nss: nss-3.16.5.ebuild ChangeLog nss-3.17.1.ebuild
Date: Thu, 25 Sep 2014 06:00:19
Message-Id: 20140925060012.474A26331@oystercatcher.gentoo.org
1 polynomial-c 14/09/25 06:00:12
2
3 Modified: ChangeLog
4 Added: nss-3.16.5.ebuild nss-3.17.1.ebuild
5 Log:
6 Security bump (bug #523652). RSA signature forgery attack (CVE-2014-1568)
7
8 (Portage version: 2.2.13/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
9
10 Revision Changes Path
11 1.381 dev-libs/nss/ChangeLog
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/ChangeLog?rev=1.381&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/ChangeLog?rev=1.381&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/ChangeLog?r1=1.380&r2=1.381
16
17 Index: ChangeLog
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v
20 retrieving revision 1.380
21 retrieving revision 1.381
22 diff -u -r1.380 -r1.381
23 --- ChangeLog 3 Sep 2014 16:10:40 -0000 1.380
24 +++ ChangeLog 25 Sep 2014 06:00:12 -0000 1.381
25 @@ -1,6 +1,13 @@
26 # ChangeLog for dev-libs/nss
27 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
28 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.380 2014/09/03 16:10:40 polynomial-c Exp $
29 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.381 2014/09/25 06:00:12 polynomial-c Exp $
30 +
31 +*nss-3.17.1 (25 Sep 2014)
32 +*nss-3.16.5 (25 Sep 2014)
33 +
34 + 25 Sep 2014; Lars Wendler <polynomial-c@g.o> +nss-3.16.5.ebuild,
35 + +nss-3.17.1.ebuild, +files/nss-3.17.1-gentoo-fixups.patch:
36 + Security bump (bug #523652). RSA signature forgery attack (CVE-2014-1568).
37
38 *nss-3.17 (03 Sep 2014)
39
40
41
42
43 1.1 dev-libs/nss/nss-3.16.5.ebuild
44
45 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/nss-3.16.5.ebuild?rev=1.1&view=markup
46 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/nss-3.16.5.ebuild?rev=1.1&content-type=text/plain
47
48 Index: nss-3.16.5.ebuild
49 ===================================================================
50 # Copyright 1999-2014 Gentoo Foundation
51 # Distributed under the terms of the GNU General Public License v2
52 # $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.16.5.ebuild,v 1.1 2014/09/25 06:00:12 polynomial-c Exp $
53
54 EAPI=5
55 inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
56
57 NSPR_VER="4.10.6-r1"
58 RTM_NAME="NSS_${PV//./_}_RTM"
59 # Rev of https://git.fedorahosted.org/cgit/nss-pem.git
60 PEM_GIT_REV="3ade37c5c4ca5a6094e3f4b2e4591405db1867dd"
61 PEM_P="${PN}-pem-${PEM_GIT_REV}"
62
63 DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
64 HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
65 SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
66 cacert? ( http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
67 nss-pem? ( https://git.fedorahosted.org/cgit/nss-pem.git/snapshot/${PEM_P}.tar.bz2 )"
68
69 LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
70 SLOT="0"
71 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
72 IUSE="+cacert +nss-pem utils"
73
74 DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
75 >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]"
76 RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
77 >=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
78 >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
79 abi_x86_32? (
80 !<=app-emulation/emul-linux-x86-baselibs-20140508-r12
81 !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
82 )"
83
84 RESTRICT="test"
85
86 S="${WORKDIR}/${P}/${PN}"
87
88 MULTILIB_CHOST_TOOLS=(
89 /usr/bin/nss-config
90 )
91
92 src_unpack() {
93 unpack ${A}
94 if use nss-pem ; then
95 mv "${PEM_P}"/nss/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
96 fi
97 }
98
99 src_prepare() {
100 # Custom changes for gentoo
101 epatch "${FILESDIR}/${PN}-3.15-gentoo-fixups.patch"
102 epatch "${FILESDIR}/${PN}-3.15-gentoo-fixup-warnings.patch"
103 use cacert && epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
104 use nss-pem && epatch "${FILESDIR}/${PN}-3.15.4-enable-pem.patch"
105 epatch "${FILESDIR}/nss-3.14.2-solaris-gcc.patch"
106
107 pushd coreconf >/dev/null || die
108 # hack nspr paths
109 echo 'INCLUDES += -I$(DIST)/include/dbm' \
110 >> headers.mk || die "failed to append include"
111
112 # modify install path
113 sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
114 -i source.mk || die
115
116 # Respect LDFLAGS
117 sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
118 popd >/dev/null || die
119
120 # Fix pkgconfig file for Prefix
121 sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
122 config/Makefile || die
123
124 # use host shlibsign if need be #436216
125 if tc-is-cross-compiler ; then
126 sed -i \
127 -e 's:"${2}"/shlibsign:shlibsign:' \
128 cmd/shlibsign/sign.sh || die
129 fi
130
131 # dirty hack
132 sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
133 lib/ssl/config.mk || die
134 sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
135 cmd/platlibs.mk || die
136
137 multilib_copy_sources
138
139 strip-flags
140 }
141
142 multilib_src_configure() {
143 # Ensure we stay multilib aware
144 sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
145 }
146
147 nssarch() {
148 # Most of the arches are the same as $ARCH
149 local t=${1:-${CHOST}}
150 case ${t} in
151 aarch64*)echo "aarch64";;
152 hppa*) echo "parisc";;
153 i?86*) echo "i686";;
154 x86_64*) echo "x86_64";;
155 *) tc-arch ${t};;
156 esac
157 }
158
159 nssbits() {
160 local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
161 if [[ ${1} == BUILD_ ]]; then
162 cc=$(tc-getBUILD_CC)
163 else
164 cc=$(tc-getCC)
165 fi
166 echo > "${T}"/test.c || die
167 ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
168 case $(file "${T}/${1}test.o") in
169 *32-bit*x86-64*) echo USE_X32=1;;
170 *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
171 *32-bit*|*ppc*|*i386*) ;;
172 *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
173 esac
174 }
175
176 multilib_src_compile() {
177 # use ABI to determine bit'ness, or fallback if unset
178 local buildbits mybits
179 case "${ABI}" in
180 n32) mybits="USE_N32=1";;
181 x32) mybits="USE_X32=1";;
182 s390x|*64) mybits="USE_64=1";;
183 default) mybits=$(nssbits);;
184 esac
185 # bitness of host may differ from target
186 if tc-is-cross-compiler; then
187 buildbits=$(nssbits BUILD_)
188 fi
189
190 local makeargs=(
191 CC="$(tc-getCC)"
192 AR="$(tc-getAR) rc \$@"
193 RANLIB="$(tc-getRANLIB)"
194 OPTIMIZER=
195 ${mybits}
196 )
197
198 # Take care of nspr settings #436216
199 local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
200 local myLDFLAGS="${LDFLAGS} $($(tc-getPKG_CONFIG) nspr --libs-only-L)"
201 unset NSPR_INCLUDE_DIR
202
203 # Do not let `uname` be used.
204 if use kernel_linux ; then
205 makeargs+=(
206 OS_TARGET=Linux
207 OS_RELEASE=2.6
208 OS_TEST="$(nssarch)"
209 )
210 fi
211
212 export BUILD_OPT=1
213 export NSS_USE_SYSTEM_SQLITE=1
214 export NSDISTMODE=copy
215 export NSS_ENABLE_ECC=1
216 export FREEBL_NO_DEPEND=1
217 export ASFLAGS=""
218
219 local d
220
221 # Build the host tools first.
222 LDFLAGS="${BUILD_LDFLAGS}" \
223 XCFLAGS="${BUILD_CFLAGS}" \
224 NSPR_LIB_DIR="${T}/fake-dir" \
225 emake -j1 -C coreconf \
226 CC="$(tc-getBUILD_CC)" \
227 ${buildbits:-${mybits}}
228 makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
229
230 # Then build the target tools.
231 for d in . lib/dbm ; do
232 CPPFLAGS="${myCPPFLAGS}" \
233 LDFLAGS="${myLDFLAGS}" \
234 XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
235 NSPR_LIB_DIR="${T}/${ABI}-fake-dir" \
236 emake -j1 "${makeargs[@]}" -C ${d}
237 done
238 }
239
240 # Altering these 3 libraries breaks the CHK verification.
241 # All of the following cause it to break:
242 # - stripping
243 # - prelink
244 # - ELF signing
245 # http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
246 # Either we have to NOT strip them, or we have to forcibly resign after
247 # stripping.
248 #local_libdir="$(get_libdir)"
249 #export STRIP_MASK="
250 # */${local_libdir}/libfreebl3.so*
251 # */${local_libdir}/libnssdbm3.so*
252 # */${local_libdir}/libsoftokn3.so*"
253
254 export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
255
256 generate_chk() {
257 local shlibsign="$1"
258 local libdir="$2"
259 einfo "Resigning core NSS libraries for FIPS validation"
260 shift 2
261 local i
262 for i in ${NSS_CHK_SIGN_LIBS} ; do
263 local libname=lib${i}.so
264 local chkname=lib${i}.chk
265 "${shlibsign}" \
266 -i "${libdir}"/${libname} \
267 -o "${libdir}"/${chkname}.tmp \
268 && mv -f \
269 "${libdir}"/${chkname}.tmp \
270 "${libdir}"/${chkname} \
271 || die "Failed to sign ${libname}"
272 done
273 }
274
275 cleanup_chk() {
276 local libdir="$1"
277 shift 1
278 local i
279 for i in ${NSS_CHK_SIGN_LIBS} ; do
280 local libfname="${libdir}/lib${i}.so"
281 # If the major version has changed, then we have old chk files.
282 [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
283 && rm -f "${libfname}.chk"
284 done
285 }
286
287 multilib_src_install() {
288 pushd dist >/dev/null || die
289
290 dodir /usr/$(get_libdir)
291 cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
292 cp -L -t "${ED}"/usr/$(get_libdir) */lib/{libcrmf,libfreebl}.a || die "copying libs failed"
293
294 # Install nss-config and pkgconfig file
295 dodir /usr/bin
296 cp -L */bin/nss-config "${ED}"/usr/bin || die
297 dodir /usr/$(get_libdir)/pkgconfig
298 cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
299
300 # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
301 # bug 517266
302 sed -e 's#Libs:#Libs: -lfreebl#' \
303 -e 's#Cflags:#Cflags: -I${includedir}/private#' \
304 */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
305 || die "could not create nss-softokn.pc"
306
307 # all the include files
308 insinto /usr/include/nss
309 doins public/nss/*.h
310 insinto /usr/include/nss/private
311 doins private/nss/{blapi,alghmac}.h
312
313 popd >/dev/null || die
314
315 local f nssutils
316 # Always enabled because we need it for chk generation.
317 nssutils="shlibsign"
318
319 if multilib_is_native_abi ; then
320 if use utils; then
321 # The tests we do not need to install.
322 #nssutils_test="bltest crmftest dbtest dertimetest
323 #fipstest remtest sdrtest"
324 nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
325 cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
326 nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
327 pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
328 symkeyutil tstclnt vfychain vfyserv"
329 fi
330 pushd dist/*/bin >/dev/null || die
331 for f in ${nssutils}; do
332 dobin ${f}
333 done
334 popd >/dev/null || die
335 fi
336
337 # Prelink breaks the CHK files. We don't have any reliable way to run
338 # shlibsign after prelink.
339 local l libs=() liblist
340 for l in ${NSS_CHK_SIGN_LIBS} ; do
341 libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
342 done
343 liblist=$(printf '%s:' "${libs[@]}")
344 echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"
345 doenvd "${T}/90nss-${ABI}"
346 }
347
348 pkg_postinst() {
349 multilib_pkg_postinst() {
350 # We must re-sign the libraries AFTER they are stripped.
351 local shlibsign="${EROOT}/usr/bin/shlibsign"
352 # See if we can execute it (cross-compiling & such). #436216
353 "${shlibsign}" -h >&/dev/null
354 if [[ $? -gt 1 ]] ; then
355 shlibsign="shlibsign"
356 fi
357 generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
358 }
359
360 multilib_foreach_abi multilib_pkg_postinst
361 }
362
363 pkg_postrm() {
364 multilib_pkg_postrm() {
365 cleanup_chk "${EROOT}"/usr/$(get_libdir)
366 }
367
368 multilib_foreach_abi multilib_pkg_postrm
369 }
370
371
372
373 1.1 dev-libs/nss/nss-3.17.1.ebuild
374
375 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/nss-3.17.1.ebuild?rev=1.1&view=markup
376 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/nss/nss-3.17.1.ebuild?rev=1.1&content-type=text/plain
377
378 Index: nss-3.17.1.ebuild
379 ===================================================================
380 # Copyright 1999-2014 Gentoo Foundation
381 # Distributed under the terms of the GNU General Public License v2
382 # $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.17.1.ebuild,v 1.1 2014/09/25 06:00:12 polynomial-c Exp $
383
384 EAPI=5
385 inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
386
387 NSPR_VER="4.10.6-r1"
388 RTM_NAME="NSS_${PV//./_}_RTM"
389 # Rev of https://git.fedorahosted.org/cgit/nss-pem.git
390 PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
391 PEM_P="${PN}-pem-${PEM_GIT_REV}"
392
393 DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
394 HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
395 SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
396 cacert? ( http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
397 nss-pem? ( https://git.fedorahosted.org/cgit/nss-pem.git/snapshot/${PEM_P}.tar.bz2 )"
398
399 LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
400 SLOT="0"
401 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
402 IUSE="+cacert +nss-pem utils"
403
404 DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
405 >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]"
406 RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
407 >=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
408 >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
409 abi_x86_32? (
410 !<=app-emulation/emul-linux-x86-baselibs-20140508-r12
411 !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
412 )"
413
414 RESTRICT="test"
415
416 S="${WORKDIR}/${P}/${PN}"
417
418 MULTILIB_CHOST_TOOLS=(
419 /usr/bin/nss-config
420 )
421
422 src_unpack() {
423 unpack ${A}
424 if use nss-pem ; then
425 mv "${PEM_P}"/nss/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
426 fi
427 }
428
429 src_prepare() {
430 # Custom changes for gentoo
431 epatch "${FILESDIR}/${PN}-3.17.1-gentoo-fixups.patch"
432 epatch "${FILESDIR}/${PN}-3.15-gentoo-fixup-warnings.patch"
433 use cacert && epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
434 use nss-pem && epatch "${FILESDIR}/${PN}-3.15.4-enable-pem.patch"
435 epatch "${FILESDIR}/nss-3.14.2-solaris-gcc.patch"
436
437 pushd coreconf >/dev/null || die
438 # hack nspr paths
439 echo 'INCLUDES += -I$(DIST)/include/dbm' \
440 >> headers.mk || die "failed to append include"
441
442 # modify install path
443 sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
444 -i source.mk || die
445
446 # Respect LDFLAGS
447 sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
448 popd >/dev/null || die
449
450 # Fix pkgconfig file for Prefix
451 sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
452 config/Makefile || die
453
454 # use host shlibsign if need be #436216
455 if tc-is-cross-compiler ; then
456 sed -i \
457 -e 's:"${2}"/shlibsign:shlibsign:' \
458 cmd/shlibsign/sign.sh || die
459 fi
460
461 # dirty hack
462 sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
463 lib/ssl/config.mk || die
464 sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
465 cmd/platlibs.mk || die
466
467 multilib_copy_sources
468
469 strip-flags
470 }
471
472 multilib_src_configure() {
473 # Ensure we stay multilib aware
474 sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
475 }
476
477 nssarch() {
478 # Most of the arches are the same as $ARCH
479 local t=${1:-${CHOST}}
480 case ${t} in
481 aarch64*)echo "aarch64";;
482 hppa*) echo "parisc";;
483 i?86*) echo "i686";;
484 x86_64*) echo "x86_64";;
485 *) tc-arch ${t};;
486 esac
487 }
488
489 nssbits() {
490 local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
491 if [[ ${1} == BUILD_ ]]; then
492 cc=$(tc-getBUILD_CC)
493 else
494 cc=$(tc-getCC)
495 fi
496 echo > "${T}"/test.c || die
497 ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
498 case $(file "${T}/${1}test.o") in
499 *32-bit*x86-64*) echo USE_X32=1;;
500 *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
501 *32-bit*|*ppc*|*i386*) ;;
502 *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
503 esac
504 }
505
506 multilib_src_compile() {
507 # use ABI to determine bit'ness, or fallback if unset
508 local buildbits mybits
509 case "${ABI}" in
510 n32) mybits="USE_N32=1";;
511 x32) mybits="USE_X32=1";;
512 s390x|*64) mybits="USE_64=1";;
513 default) mybits=$(nssbits);;
514 esac
515 # bitness of host may differ from target
516 if tc-is-cross-compiler; then
517 buildbits=$(nssbits BUILD_)
518 fi
519
520 local makeargs=(
521 CC="$(tc-getCC)"
522 AR="$(tc-getAR) rc \$@"
523 RANLIB="$(tc-getRANLIB)"
524 OPTIMIZER=
525 ${mybits}
526 )
527
528 # Take care of nspr settings #436216
529 local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
530 local myLDFLAGS="${LDFLAGS} $($(tc-getPKG_CONFIG) nspr --libs-only-L)"
531 unset NSPR_INCLUDE_DIR
532
533 # Do not let `uname` be used.
534 if use kernel_linux ; then
535 makeargs+=(
536 OS_TARGET=Linux
537 OS_RELEASE=2.6
538 OS_TEST="$(nssarch)"
539 )
540 fi
541
542 export BUILD_OPT=1
543 export NSS_USE_SYSTEM_SQLITE=1
544 export NSDISTMODE=copy
545 export NSS_ENABLE_ECC=1
546 export FREEBL_NO_DEPEND=1
547 export ASFLAGS=""
548
549 local d
550
551 # Build the host tools first.
552 LDFLAGS="${BUILD_LDFLAGS}" \
553 XCFLAGS="${BUILD_CFLAGS}" \
554 NSPR_LIB_DIR="${T}/fake-dir" \
555 emake -j1 -C coreconf \
556 CC="$(tc-getBUILD_CC)" \
557 ${buildbits:-${mybits}}
558 makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
559
560 # Then build the target tools.
561 for d in . lib/dbm ; do
562 CPPFLAGS="${myCPPFLAGS}" \
563 LDFLAGS="${myLDFLAGS}" \
564 XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
565 NSPR_LIB_DIR="${T}/${ABI}-fake-dir" \
566 emake -j1 "${makeargs[@]}" -C ${d}
567 done
568 }
569
570 # Altering these 3 libraries breaks the CHK verification.
571 # All of the following cause it to break:
572 # - stripping
573 # - prelink
574 # - ELF signing
575 # http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
576 # Either we have to NOT strip them, or we have to forcibly resign after
577 # stripping.
578 #local_libdir="$(get_libdir)"
579 #export STRIP_MASK="
580 # */${local_libdir}/libfreebl3.so*
581 # */${local_libdir}/libnssdbm3.so*
582 # */${local_libdir}/libsoftokn3.so*"
583
584 export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
585
586 generate_chk() {
587 local shlibsign="$1"
588 local libdir="$2"
589 einfo "Resigning core NSS libraries for FIPS validation"
590 shift 2
591 local i
592 for i in ${NSS_CHK_SIGN_LIBS} ; do
593 local libname=lib${i}.so
594 local chkname=lib${i}.chk
595 "${shlibsign}" \
596 -i "${libdir}"/${libname} \
597 -o "${libdir}"/${chkname}.tmp \
598 && mv -f \
599 "${libdir}"/${chkname}.tmp \
600 "${libdir}"/${chkname} \
601 || die "Failed to sign ${libname}"
602 done
603 }
604
605 cleanup_chk() {
606 local libdir="$1"
607 shift 1
608 local i
609 for i in ${NSS_CHK_SIGN_LIBS} ; do
610 local libfname="${libdir}/lib${i}.so"
611 # If the major version has changed, then we have old chk files.
612 [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
613 && rm -f "${libfname}.chk"
614 done
615 }
616
617 multilib_src_install() {
618 pushd dist >/dev/null || die
619
620 dodir /usr/$(get_libdir)
621 cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
622 cp -L -t "${ED}"/usr/$(get_libdir) */lib/{libcrmf,libfreebl}.a || die "copying libs failed"
623
624 # Install nss-config and pkgconfig file
625 dodir /usr/bin
626 cp -L */bin/nss-config "${ED}"/usr/bin || die
627 dodir /usr/$(get_libdir)/pkgconfig
628 cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
629
630 # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
631 # bug 517266
632 sed -e 's#Libs:#Libs: -lfreebl#' \
633 -e 's#Cflags:#Cflags: -I${includedir}/private#' \
634 */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
635 || die "could not create nss-softokn.pc"
636
637 # all the include files
638 insinto /usr/include/nss
639 doins public/nss/*.h
640 insinto /usr/include/nss/private
641 doins private/nss/{blapi,alghmac}.h
642
643 popd >/dev/null || die
644
645 local f nssutils
646 # Always enabled because we need it for chk generation.
647 nssutils="shlibsign"
648
649 if multilib_is_native_abi ; then
650 if use utils; then
651 # The tests we do not need to install.
652 #nssutils_test="bltest crmftest dbtest dertimetest
653 #fipstest remtest sdrtest"
654 nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
655 cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
656 nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
657 pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
658 symkeyutil tstclnt vfychain vfyserv"
659 fi
660 pushd dist/*/bin >/dev/null || die
661 for f in ${nssutils}; do
662 dobin ${f}
663 done
664 popd >/dev/null || die
665 fi
666
667 # Prelink breaks the CHK files. We don't have any reliable way to run
668 # shlibsign after prelink.
669 local l libs=() liblist
670 for l in ${NSS_CHK_SIGN_LIBS} ; do
671 libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
672 done
673 liblist=$(printf '%s:' "${libs[@]}")
674 echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"
675 doenvd "${T}/90nss-${ABI}"
676 }
677
678 pkg_postinst() {
679 multilib_pkg_postinst() {
680 # We must re-sign the libraries AFTER they are stripped.
681 local shlibsign="${EROOT}/usr/bin/shlibsign"
682 # See if we can execute it (cross-compiling & such). #436216
683 "${shlibsign}" -h >&/dev/null
684 if [[ $? -gt 1 ]] ; then
685 shlibsign="shlibsign"
686 fi
687 generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
688 }
689
690 multilib_foreach_abi multilib_pkg_postinst
691 }
692
693 pkg_postrm() {
694 multilib_pkg_postrm() {
695 cleanup_chk "${EROOT}"/usr/$(get_libdir)
696 }
697
698 multilib_foreach_abi multilib_pkg_postrm
699 }
Report Message
Find on MARC Find on Google Groups