[gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/ - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/
Date:	Wed, 16 Dec 2015 18:35:51
Message-Id:	`1450290934.e144331d75159ef4d4ce099dbe8f22bb54f0a208.vapier@gentoo`

1

commit:     e144331d75159ef4d4ce099dbe8f22bb54f0a208

2

Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

3

AuthorDate: Wed Dec 16 17:33:18 2015 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Wed Dec 16 18:35:34 2015 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e144331d

7

8

dev-libs/nss: put cacert patches behind USE=cacert

9

10

 dev-libs/nss/metadata.xml       |   2 +-

11

 dev-libs/nss/nss-3.21-r1.ebuild | 328 ++++++++++++++++++++++++++++++++++++++++

12

 2 files changed, 329 insertions(+), 1 deletion(-)

13

14

diff --git a/dev-libs/nss/metadata.xml b/dev-libs/nss/metadata.xml

15

index 36dc831..0e2139c 100644

16

--- a/dev-libs/nss/metadata.xml

17

+++ b/dev-libs/nss/metadata.xml

18

@@ -4,7 +4,7 @@

19

 <herd>mozilla</herd>

20

 <use>

21

   <flag name='cacert'>

22

-    Include root certs from CAcert (http://http://www.cacert.org/) and

23

+    Include root/class3 certs from CAcert (http://http://www.cacert.org/) and

24

     Software in the Public Interest (http://www.spi-inc.org/)

25

   </flag>

26

   <flag name='nss-pem'>Add support for libnsspem</flag>

27

28

diff --git a/dev-libs/nss/nss-3.21-r1.ebuild b/dev-libs/nss/nss-3.21-r1.ebuild

29

new file mode 100644

30

index 0000000..06f3df4

31

--- /dev/null

32

+++ b/dev-libs/nss/nss-3.21-r1.ebuild

33

@@ -0,0 +1,328 @@

34

+# Copyright 1999-2015 Gentoo Foundation

35

+# Distributed under the terms of the GNU General Public License v2

36

+# $Id$

37

+

38

+EAPI=5

39

+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal

40

+

41

+NSPR_VER="4.10.8"

42

+RTM_NAME="NSS_${PV//./_}_RTM"

43

+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git

44

+PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"

45

+PEM_P="${PN}-pem-20140125"

46

+

47

+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"

48

+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"

49

+SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz

50

+	cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )

51

+	nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"

52

+

53

+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"

54

+SLOT="0"

55

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"

56

+IUSE="+cacert +nss-pem utils"

57

+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]

58

+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"

59

+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]

60

+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]

61

+	${CDEPEND}"

62

+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]

63

+	${CDEPEND}

64

+	abi_x86_32? (

65

+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12

66

+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]

67

+	)"

68

+

69

+RESTRICT="test"

70

+

71

+S="${WORKDIR}/${P}/${PN}"

72

+

73

+MULTILIB_CHOST_TOOLS=(

74

+	/usr/bin/nss-config

75

+)

76

+

77

+src_unpack() {

78

+	unpack ${A}

79

+	if use nss-pem ; then

80

+		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die

81

+	fi

82

+}

83

+

84

+src_prepare() {

85

+	# Custom changes for gentoo

86

+	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"

87

+	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"

88

+	if use cacert ; then

89

+		epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"

90

+		epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462

91

+	fi

92

+	use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \

93

+		"${FILESDIR}/${PN}-3.21-pem-werror.patch"

94

+

95

+	pushd coreconf >/dev/null || die

96

+	# hack nspr paths

97

+	echo 'INCLUDES += -I$(DIST)/include/dbm' \

98

+		>> headers.mk || die "failed to append include"

99

+

100

+	# modify install path

101

+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \

102

+		-i source.mk || die

103

+

104

+	# Respect LDFLAGS

105

+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk

106

+	popd >/dev/null || die

107

+

108

+	# Fix pkgconfig file for Prefix

109

+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \

110

+		config/Makefile || die

111

+

112

+	# use host shlibsign if need be #436216

113

+	if tc-is-cross-compiler ; then

114

+		sed -i \

115

+			-e 's:"${2}"/shlibsign:shlibsign:' \

116

+			cmd/shlibsign/sign.sh || die

117

+	fi

118

+

119

+	# dirty hack

120

+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \

121

+		lib/ssl/config.mk || die

122

+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \

123

+		cmd/platlibs.mk || die

124

+

125

+	multilib_copy_sources

126

+

127

+	strip-flags

128

+}

129

+

130

+multilib_src_configure() {

131

+	# Ensure we stay multilib aware

132

+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die

133

+}

134

+

135

+nssarch() {

136

+	# Most of the arches are the same as $ARCH

137

+	local t=${1:-${CHOST}}

138

+	case ${t} in

139

+		aarch64*)echo "aarch64";;

140

+		hppa*)   echo "parisc";;

141

+		i?86*)   echo "i686";;

142

+		x86_64*) echo "x86_64";;

143

+		*)       tc-arch ${t};;

144

+	esac

145

+}

146

+

147

+nssbits() {

148

+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"

149

+	if [[ ${1} == BUILD_ ]]; then

150

+		cc=$(tc-getBUILD_CC)

151

+	else

152

+		cc=$(tc-getCC)

153

+	fi

154

+	echo > "${T}"/test.c || die

155

+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die

156

+	case $(file "${T}/${1}test.o") in

157

+		*32-bit*x86-64*) echo USE_X32=1;;

158

+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;

159

+		*32-bit*|*ppc*|*i386*) ;;

160

+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;

161

+	esac

162

+}

163

+

164

+multilib_src_compile() {

165

+	# use ABI to determine bit'ness, or fallback if unset

166

+	local buildbits mybits

167

+	case "${ABI}" in

168

+		n32) mybits="USE_N32=1";;

169

+		x32) mybits="USE_X32=1";;

170

+		s390x|*64) mybits="USE_64=1";;

171

+		${DEFAULT_ABI})

172

+			einfo "Running compilation test to determine bit'ness"

173

+			mybits=$(nssbits)

174

+			;;

175

+	esac

176

+	# bitness of host may differ from target

177

+	if tc-is-cross-compiler; then

178

+		buildbits=$(nssbits BUILD_)

179

+	fi

180

+

181

+	local makeargs=(

182

+		CC="$(tc-getCC)"

183

+		AR="$(tc-getAR) rc \$@"

184

+		RANLIB="$(tc-getRANLIB)"

185

+		OPTIMIZER=

186

+		${mybits}

187

+	)

188

+

189

+	# Take care of nspr settings #436216

190

+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"

191

+	unset NSPR_INCLUDE_DIR

192

+

193

+	# Do not let `uname` be used.

194

+	if use kernel_linux ; then

195

+		makeargs+=(

196

+			OS_TARGET=Linux

197

+			OS_RELEASE=2.6

198

+			OS_TEST="$(nssarch)"

199

+		)

200

+	fi

201

+

202

+	export BUILD_OPT=1

203

+	export NSS_USE_SYSTEM_SQLITE=1

204

+	export NSDISTMODE=copy

205

+	export NSS_ENABLE_ECC=1

206

+	export FREEBL_NO_DEPEND=1

207

+	export ASFLAGS=""

208

+

209

+	local d

210

+

211

+	# Build the host tools first.

212

+	LDFLAGS="${BUILD_LDFLAGS}" \

213

+	XCFLAGS="${BUILD_CFLAGS}" \

214

+	NSPR_LIB_DIR="${T}/fakedir" \

215

+	emake -j1 -C coreconf \

216

+		CC="$(tc-getBUILD_CC)" \

217

+		${buildbits:-${mybits}}

218

+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )

219

+

220

+	# Then build the target tools.

221

+	for d in . lib/dbm ; do

222

+		CPPFLAGS="${myCPPFLAGS}" \

223

+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \

224

+		NSPR_LIB_DIR="${T}/fakedir" \

225

+		emake -j1 "${makeargs[@]}" -C ${d}

226

+	done

227

+}

228

+

229

+# Altering these 3 libraries breaks the CHK verification.

230

+# All of the following cause it to break:

231

+# - stripping

232

+# - prelink

233

+# - ELF signing

234

+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html

235

+# Either we have to NOT strip them, or we have to forcibly resign after

236

+# stripping.

237

+#local_libdir="$(get_libdir)"

238

+#export STRIP_MASK="

239

+#	*/${local_libdir}/libfreebl3.so*

240

+#	*/${local_libdir}/libnssdbm3.so*

241

+#	*/${local_libdir}/libsoftokn3.so*"

242

+

243

+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"

244

+

245

+generate_chk() {

246

+	local shlibsign="$1"

247

+	local libdir="$2"

248

+	einfo "Resigning core NSS libraries for FIPS validation"

249

+	shift 2

250

+	local i

251

+	for i in ${NSS_CHK_SIGN_LIBS} ; do

252

+		local libname=lib${i}.so

253

+		local chkname=lib${i}.chk

254

+		"${shlibsign}" \

255

+			-i "${libdir}"/${libname} \

256

+			-o "${libdir}"/${chkname}.tmp \

257

+		&& mv -f \

258

+			"${libdir}"/${chkname}.tmp \

259

+			"${libdir}"/${chkname} \

260

+		|| die "Failed to sign ${libname}"

261

+	done

262

+}

263

+

264

+cleanup_chk() {

265

+	local libdir="$1"

266

+	shift 1

267

+	local i

268

+	for i in ${NSS_CHK_SIGN_LIBS} ; do

269

+		local libfname="${libdir}/lib${i}.so"

270

+		# If the major version has changed, then we have old chk files.

271

+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \

272

+			&& rm -f "${libfname}.chk"

273

+	done

274

+}

275

+

276

+multilib_src_install() {

277

+	pushd dist >/dev/null || die

278

+

279

+	dodir /usr/$(get_libdir)

280

+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"

281

+	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"

282

+	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"

283

+

284

+	# Install nss-config and pkgconfig file

285

+	dodir /usr/bin

286

+	cp -L */bin/nss-config "${ED}"/usr/bin || die

287

+	dodir /usr/$(get_libdir)/pkgconfig

288

+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die

289

+

290

+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers

291

+	# bug 517266

292

+	sed 	-e 's#Libs:#Libs: -lfreebl#' \

293

+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \

294

+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \

295

+		|| die "could not create nss-softokn.pc"

296

+

297

+	# all the include files

298

+	insinto /usr/include/nss

299

+	doins public/nss/*.h

300

+	insinto /usr/include/nss/private

301

+	doins private/nss/{blapi,alghmac}.h

302

+

303

+	popd >/dev/null || die

304

+

305

+	local f nssutils

306

+	# Always enabled because we need it for chk generation.

307

+	nssutils="shlibsign"

308

+

309

+	if multilib_is_native_abi ; then

310

+		if use utils; then

311

+			# The tests we do not need to install.

312

+			#nssutils_test="bltest crmftest dbtest dertimetest

313

+			#fipstest remtest sdrtest"

314

+			nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert

315

+			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit

316

+			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode

317

+			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt

318

+			symkeyutil tstclnt vfychain vfyserv"

319

+			# install man-pages for utils (bug #516810)

320

+			doman doc/nroff/*.1

321

+		fi

322

+		pushd dist/*/bin >/dev/null || die

323

+		for f in ${nssutils}; do

324

+			dobin ${f}

325

+		done

326

+		popd >/dev/null || die

327

+	fi

328

+

329

+	# Prelink breaks the CHK files. We don't have any reliable way to run

330

+	# shlibsign after prelink.

331

+	local l libs=() liblist

332

+	for l in ${NSS_CHK_SIGN_LIBS} ; do

333

+		libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")

334

+	done

335

+	liblist=$(printf '%s:' "${libs[@]}")

336

+	echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"

337

+	doenvd "${T}/90nss-${ABI}"

338

+}

339

+

340

+pkg_postinst() {

341

+	multilib_pkg_postinst() {

342

+		# We must re-sign the libraries AFTER they are stripped.

343

+		local shlibsign="${EROOT}/usr/bin/shlibsign"

344

+		# See if we can execute it (cross-compiling & such). #436216

345

+		"${shlibsign}" -h >&/dev/null

346

+		if [[ $? -gt 1 ]] ; then

347

+			shlibsign="shlibsign"

348

+		fi

349

+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)

350

+	}

351

+

352

+	multilib_foreach_abi multilib_pkg_postinst

353

+}

354

+

355

+pkg_postrm() {

356

+	multilib_pkg_postrm() {

357

+		cleanup_chk "${EROOT}"/usr/$(get_libdir)

358

+	}

359

+

360

+	multilib_foreach_abi multilib_pkg_postrm

361

+}

1	commit: e144331d75159ef4d4ce099dbe8f22bb54f0a208
2	Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3	AuthorDate: Wed Dec 16 17:33:18 2015 +0000
4	Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5	CommitDate: Wed Dec 16 18:35:34 2015 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e144331d
7
8	dev-libs/nss: put cacert patches behind USE=cacert
9
10	dev-libs/nss/metadata.xml \| 2 +-
11	dev-libs/nss/nss-3.21-r1.ebuild \| 328 ++++++++++++++++++++++++++++++++++++++++
12	2 files changed, 329 insertions(+), 1 deletion(-)
13
14	diff --git a/dev-libs/nss/metadata.xml b/dev-libs/nss/metadata.xml
15	index 36dc831..0e2139c 100644
16	--- a/dev-libs/nss/metadata.xml
17	+++ b/dev-libs/nss/metadata.xml
18	@@ -4,7 +4,7 @@
19	<herd>mozilla</herd>
20	<use>
21	<flag name='cacert'>
22	- Include root certs from CAcert (http://http://www.cacert.org/) and
23	+ Include root/class3 certs from CAcert (http://http://www.cacert.org/) and
24	Software in the Public Interest (http://www.spi-inc.org/)
25	</flag>
26	<flag name='nss-pem'>Add support for libnsspem</flag>
27
28	diff --git a/dev-libs/nss/nss-3.21-r1.ebuild b/dev-libs/nss/nss-3.21-r1.ebuild
29	new file mode 100644
30	index 0000000..06f3df4
31	--- /dev/null
32	+++ b/dev-libs/nss/nss-3.21-r1.ebuild
33	@@ -0,0 +1,328 @@
34	+# Copyright 1999-2015 Gentoo Foundation
35	+# Distributed under the terms of the GNU General Public License v2
36	+# $Id$
37	+
38	+EAPI=5
39	+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
40	+
41	+NSPR_VER="4.10.8"
42	+RTM_NAME="NSS_${PV//./_}_RTM"
43	+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
44	+PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
45	+PEM_P="${PN}-pem-20140125"
46	+
47	+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
48	+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
49	+SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
50	+ cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
51	+ nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
52	+
53	+LICENSE="\|\| ( MPL-2.0 GPL-2 LGPL-2.1 )"
54	+SLOT="0"
55	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
56	+IUSE="+cacert +nss-pem utils"
57	+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
58	+ >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
59	+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
60	+ >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
61	+ ${CDEPEND}"
62	+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
63	+ ${CDEPEND}
64	+ abi_x86_32? (
65	+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r12
66	+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
67	+ )"
68	+
69	+RESTRICT="test"
70	+
71	+S="${WORKDIR}/${P}/${PN}"
72	+
73	+MULTILIB_CHOST_TOOLS=(
74	+ /usr/bin/nss-config
75	+)
76	+
77	+src_unpack() {
78	+ unpack ${A}
79	+ if use nss-pem ; then
80	+ mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ \|\| die
81	+ fi
82	+}
83	+
84	+src_prepare() {
85	+ # Custom changes for gentoo
86	+ epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
87	+ epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
88	+ if use cacert ; then
89	+ epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
90	+ epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462
91	+ fi
92	+ use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \
93	+ "${FILESDIR}/${PN}-3.21-pem-werror.patch"
94	+
95	+ pushd coreconf >/dev/null \|\| die
96	+ # hack nspr paths
97	+ echo 'INCLUDES += -I$(DIST)/include/dbm' \
98	+ >> headers.mk \|\| die "failed to append include"
99	+
100	+ # modify install path
101	+ sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
102	+ -i source.mk \|\| die
103	+
104	+ # Respect LDFLAGS
105	+ sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
106	+ popd >/dev/null \|\| die
107	+
108	+ # Fix pkgconfig file for Prefix
109	+ sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
110	+ config/Makefile \|\| die
111	+
112	+ # use host shlibsign if need be #436216
113	+ if tc-is-cross-compiler ; then
114	+ sed -i \
115	+ -e 's:"${2}"/shlibsign:shlibsign:' \
116	+ cmd/shlibsign/sign.sh \|\| die
117	+ fi
118	+
119	+ # dirty hack
120	+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
121	+ lib/ssl/config.mk \|\| die
122	+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
123	+ cmd/platlibs.mk \|\| die
124	+
125	+ multilib_copy_sources
126	+
127	+ strip-flags
128	+}
129	+
130	+multilib_src_configure() {
131	+ # Ensure we stay multilib aware
132	+ sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile \|\| die
133	+}
134	+
135	+nssarch() {
136	+ # Most of the arches are the same as $ARCH
137	+ local t=${1:-${CHOST}}
138	+ case ${t} in
139	+ aarch64*)echo "aarch64";;
140	+ hppa*) echo "parisc";;
141	+ i?86*) echo "i686";;
142	+ x86_64*) echo "x86_64";;
143	+ *) tc-arch ${t};;
144	+ esac
145	+}
146	+
147	+nssbits() {
148	+ local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
149	+ if [[ ${1} == BUILD_ ]]; then
150	+ cc=$(tc-getBUILD_CC)
151	+ else
152	+ cc=$(tc-getCC)
153	+ fi
154	+ echo > "${T}"/test.c \|\| die
155	+ ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" \|\| die
156	+ case $(file "${T}/${1}test.o") in
157	+ 32-bitx86-64*) echo USE_X32=1;;
158	+ 64-bit\|ppc64\|x86_64) echo USE_64=1;;
159	+ 32-bit\|ppc\|i386) ;;
160	+ *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
161	+ esac
162	+}
163	+
164	+multilib_src_compile() {
165	+ # use ABI to determine bit'ness, or fallback if unset
166	+ local buildbits mybits
167	+ case "${ABI}" in
168	+ n32) mybits="USE_N32=1";;
169	+ x32) mybits="USE_X32=1";;
170	+ s390x\|*64) mybits="USE_64=1";;
171	+ ${DEFAULT_ABI})
172	+ einfo "Running compilation test to determine bit'ness"
173	+ mybits=$(nssbits)
174	+ ;;
175	+ esac
176	+ # bitness of host may differ from target
177	+ if tc-is-cross-compiler; then
178	+ buildbits=$(nssbits BUILD_)
179	+ fi
180	+
181	+ local makeargs=(
182	+ CC="$(tc-getCC)"
183	+ AR="$(tc-getAR) rc \$@"
184	+ RANLIB="$(tc-getRANLIB)"
185	+ OPTIMIZER=
186	+ ${mybits}
187	+ )
188	+
189	+ # Take care of nspr settings #436216
190	+ local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
191	+ unset NSPR_INCLUDE_DIR
192	+
193	+ # Do not let `uname` be used.
194	+ if use kernel_linux ; then
195	+ makeargs+=(
196	+ OS_TARGET=Linux
197	+ OS_RELEASE=2.6
198	+ OS_TEST="$(nssarch)"
199	+ )
200	+ fi
201	+
202	+ export BUILD_OPT=1
203	+ export NSS_USE_SYSTEM_SQLITE=1
204	+ export NSDISTMODE=copy
205	+ export NSS_ENABLE_ECC=1
206	+ export FREEBL_NO_DEPEND=1
207	+ export ASFLAGS=""
208	+
209	+ local d
210	+
211	+ # Build the host tools first.
212	+ LDFLAGS="${BUILD_LDFLAGS}" \
213	+ XCFLAGS="${BUILD_CFLAGS}" \
214	+ NSPR_LIB_DIR="${T}/fakedir" \
215	+ emake -j1 -C coreconf \
216	+ CC="$(tc-getBUILD_CC)" \
217	+ ${buildbits:-${mybits}}
218	+ makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
219	+
220	+ # Then build the target tools.
221	+ for d in . lib/dbm ; do
222	+ CPPFLAGS="${myCPPFLAGS}" \
223	+ XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
224	+ NSPR_LIB_DIR="${T}/fakedir" \
225	+ emake -j1 "${makeargs[@]}" -C ${d}
226	+ done
227	+}
228	+
229	+# Altering these 3 libraries breaks the CHK verification.
230	+# All of the following cause it to break:
231	+# - stripping
232	+# - prelink
233	+# - ELF signing
234	+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
235	+# Either we have to NOT strip them, or we have to forcibly resign after
236	+# stripping.
237	+#local_libdir="$(get_libdir)"
238	+#export STRIP_MASK="
239	+# /${local_libdir}/libfreebl3.so
240	+# /${local_libdir}/libnssdbm3.so
241	+# /${local_libdir}/libsoftokn3.so"
242	+
243	+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
244	+
245	+generate_chk() {
246	+ local shlibsign="$1"
247	+ local libdir="$2"
248	+ einfo "Resigning core NSS libraries for FIPS validation"
249	+ shift 2
250	+ local i
251	+ for i in ${NSS_CHK_SIGN_LIBS} ; do
252	+ local libname=lib${i}.so
253	+ local chkname=lib${i}.chk
254	+ "${shlibsign}" \
255	+ -i "${libdir}"/${libname} \
256	+ -o "${libdir}"/${chkname}.tmp \
257	+ && mv -f \
258	+ "${libdir}"/${chkname}.tmp \
259	+ "${libdir}"/${chkname} \
260	+ \|\| die "Failed to sign ${libname}"
261	+ done
262	+}
263	+
264	+cleanup_chk() {
265	+ local libdir="$1"
266	+ shift 1
267	+ local i
268	+ for i in ${NSS_CHK_SIGN_LIBS} ; do
269	+ local libfname="${libdir}/lib${i}.so"
270	+ # If the major version has changed, then we have old chk files.
271	+ [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
272	+ && rm -f "${libfname}.chk"
273	+ done
274	+}
275	+
276	+multilib_src_install() {
277	+ pushd dist >/dev/null \|\| die
278	+
279	+ dodir /usr/$(get_libdir)
280	+ cp -L /lib/$(get_libname) "${ED}"/usr/$(get_libdir) \|\| die "copying shared libs failed"
281	+ cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) \|\| die "copying libs failed"
282	+ cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) \|\| die "copying libs failed"
283	+
284	+ # Install nss-config and pkgconfig file
285	+ dodir /usr/bin
286	+ cp -L */bin/nss-config "${ED}"/usr/bin \|\| die
287	+ dodir /usr/$(get_libdir)/pkgconfig
288	+ cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig \|\| die
289	+
290	+ # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
291	+ # bug 517266
292	+ sed -e 's#Libs:#Libs: -lfreebl#' \
293	+ -e 's#Cflags:#Cflags: -I${includedir}/private#' \
294	+ */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
295	+ \|\| die "could not create nss-softokn.pc"
296	+
297	+ # all the include files
298	+ insinto /usr/include/nss
299	+ doins public/nss/*.h
300	+ insinto /usr/include/nss/private
301	+ doins private/nss/{blapi,alghmac}.h
302	+
303	+ popd >/dev/null \|\| die
304	+
305	+ local f nssutils
306	+ # Always enabled because we need it for chk generation.
307	+ nssutils="shlibsign"
308	+
309	+ if multilib_is_native_abi ; then
310	+ if use utils; then
311	+ # The tests we do not need to install.
312	+ #nssutils_test="bltest crmftest dbtest dertimetest
313	+ #fipstest remtest sdrtest"
314	+ nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
315	+ cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
316	+ nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
317	+ pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
318	+ symkeyutil tstclnt vfychain vfyserv"
319	+ # install man-pages for utils (bug #516810)
320	+ doman doc/nroff/*.1
321	+ fi
322	+ pushd dist/*/bin >/dev/null \|\| die
323	+ for f in ${nssutils}; do
324	+ dobin ${f}
325	+ done
326	+ popd >/dev/null \|\| die
327	+ fi
328	+
329	+ # Prelink breaks the CHK files. We don't have any reliable way to run
330	+ # shlibsign after prelink.
331	+ local l libs=() liblist
332	+ for l in ${NSS_CHK_SIGN_LIBS} ; do
333	+ libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
334	+ done
335	+ liblist=$(printf '%s:' "${libs[@]}")
336	+ echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"
337	+ doenvd "${T}/90nss-${ABI}"
338	+}
339	+
340	+pkg_postinst() {
341	+ multilib_pkg_postinst() {
342	+ # We must re-sign the libraries AFTER they are stripped.
343	+ local shlibsign="${EROOT}/usr/bin/shlibsign"
344	+ # See if we can execute it (cross-compiling & such). #436216
345	+ "${shlibsign}" -h >&/dev/null
346	+ if [[ $? -gt 1 ]] ; then
347	+ shlibsign="shlibsign"
348	+ fi
349	+ generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
350	+ }
351	+
352	+ multilib_foreach_abi multilib_pkg_postinst
353	+}
354	+
355	+pkg_postrm() {
356	+ multilib_pkg_postrm() {
357	+ cleanup_chk "${EROOT}"/usr/$(get_libdir)
358	+ }
359	+
360	+ multilib_foreach_abi multilib_pkg_postrm
361	+}

Gentoo Archives: gentoo-commits