1 |
commit: fc8de6d16fe203976a1fa5d79456ad2b3b4deb13 |
2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jan 5 00:30:34 2016 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jan 5 00:38:22 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc8de6d1 |
7 |
|
8 |
dev-libs/nss: switch to prelink.conf.d files |
9 |
|
10 |
Avoid polluting the global environment via env.d just for prelink masks |
11 |
now that the current prelink versions support prelink.conf.d fragments. |
12 |
|
13 |
dev-libs/nss/nss-3.21-r2.ebuild | 328 ++++++++++++++++++++++++++++++++++++++++ |
14 |
1 file changed, 328 insertions(+) |
15 |
|
16 |
diff --git a/dev-libs/nss/nss-3.21-r2.ebuild b/dev-libs/nss/nss-3.21-r2.ebuild |
17 |
new file mode 100644 |
18 |
index 0000000..5729f0b |
19 |
--- /dev/null |
20 |
+++ b/dev-libs/nss/nss-3.21-r2.ebuild |
21 |
@@ -0,0 +1,328 @@ |
22 |
+# Copyright 1999-2016 Gentoo Foundation |
23 |
+# Distributed under the terms of the GNU General Public License v2 |
24 |
+# $Id$ |
25 |
+ |
26 |
+EAPI="5" |
27 |
+ |
28 |
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal |
29 |
+ |
30 |
+NSPR_VER="4.10.8" |
31 |
+RTM_NAME="NSS_${PV//./_}_RTM" |
32 |
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git |
33 |
+PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8" |
34 |
+PEM_P="${PN}-pem-20140125" |
35 |
+ |
36 |
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support" |
37 |
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/" |
38 |
+SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz |
39 |
+ cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch ) |
40 |
+ nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )" |
41 |
+ |
42 |
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )" |
43 |
+SLOT="0" |
44 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" |
45 |
+IUSE="+cacert +nss-pem utils" |
46 |
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}] |
47 |
+ >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]" |
48 |
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}] |
49 |
+ >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}] |
50 |
+ ${CDEPEND}" |
51 |
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}] |
52 |
+ ${CDEPEND} |
53 |
+ abi_x86_32? ( |
54 |
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r12 |
55 |
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] |
56 |
+ )" |
57 |
+ |
58 |
+RESTRICT="test" |
59 |
+ |
60 |
+S="${WORKDIR}/${P}/${PN}" |
61 |
+ |
62 |
+MULTILIB_CHOST_TOOLS=( |
63 |
+ /usr/bin/nss-config |
64 |
+) |
65 |
+ |
66 |
+src_unpack() { |
67 |
+ unpack ${A} |
68 |
+ if use nss-pem ; then |
69 |
+ mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die |
70 |
+ fi |
71 |
+} |
72 |
+ |
73 |
+src_prepare() { |
74 |
+ # Custom changes for gentoo |
75 |
+ epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch" |
76 |
+ epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch" |
77 |
+ epatch "${FILESDIR}/${PN}-3.21-hppa-byte_order.patch" |
78 |
+ |
79 |
+ if use cacert ; then |
80 |
+ epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch" |
81 |
+ epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462 |
82 |
+ fi |
83 |
+ use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \ |
84 |
+ "${FILESDIR}/${PN}-3.21-pem-werror.patch" |
85 |
+ |
86 |
+ pushd coreconf >/dev/null || die |
87 |
+ # hack nspr paths |
88 |
+ echo 'INCLUDES += -I$(DIST)/include/dbm' \ |
89 |
+ >> headers.mk || die "failed to append include" |
90 |
+ |
91 |
+ # modify install path |
92 |
+ sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \ |
93 |
+ -i source.mk || die |
94 |
+ |
95 |
+ # Respect LDFLAGS |
96 |
+ sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk |
97 |
+ popd >/dev/null || die |
98 |
+ |
99 |
+ # Fix pkgconfig file for Prefix |
100 |
+ sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \ |
101 |
+ config/Makefile || die |
102 |
+ |
103 |
+ # use host shlibsign if need be #436216 |
104 |
+ if tc-is-cross-compiler ; then |
105 |
+ sed -i \ |
106 |
+ -e 's:"${2}"/shlibsign:shlibsign:' \ |
107 |
+ cmd/shlibsign/sign.sh || die |
108 |
+ fi |
109 |
+ |
110 |
+ # dirty hack |
111 |
+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \ |
112 |
+ lib/ssl/config.mk || die |
113 |
+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \ |
114 |
+ cmd/platlibs.mk || die |
115 |
+ |
116 |
+ multilib_copy_sources |
117 |
+ |
118 |
+ strip-flags |
119 |
+} |
120 |
+ |
121 |
+multilib_src_configure() { |
122 |
+ # Ensure we stay multilib aware |
123 |
+ sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die |
124 |
+} |
125 |
+ |
126 |
+nssarch() { |
127 |
+ # Most of the arches are the same as $ARCH |
128 |
+ local t=${1:-${CHOST}} |
129 |
+ case ${t} in |
130 |
+ aarch64*)echo "aarch64";; |
131 |
+ hppa*) echo "parisc";; |
132 |
+ i?86*) echo "i686";; |
133 |
+ x86_64*) echo "x86_64";; |
134 |
+ *) tc-arch ${t};; |
135 |
+ esac |
136 |
+} |
137 |
+ |
138 |
+nssbits() { |
139 |
+ local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS" |
140 |
+ if [[ ${1} == BUILD_ ]]; then |
141 |
+ cc=$(tc-getBUILD_CC) |
142 |
+ else |
143 |
+ cc=$(tc-getCC) |
144 |
+ fi |
145 |
+ echo > "${T}"/test.c || die |
146 |
+ ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die |
147 |
+ case $(file "${T}/${1}test.o") in |
148 |
+ *32-bit*x86-64*) echo USE_X32=1;; |
149 |
+ *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;; |
150 |
+ *32-bit*|*ppc*|*i386*) ;; |
151 |
+ *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";; |
152 |
+ esac |
153 |
+} |
154 |
+ |
155 |
+multilib_src_compile() { |
156 |
+ # use ABI to determine bit'ness, or fallback if unset |
157 |
+ local buildbits mybits |
158 |
+ case "${ABI}" in |
159 |
+ n32) mybits="USE_N32=1";; |
160 |
+ x32) mybits="USE_X32=1";; |
161 |
+ s390x|*64) mybits="USE_64=1";; |
162 |
+ ${DEFAULT_ABI}) |
163 |
+ einfo "Running compilation test to determine bit'ness" |
164 |
+ mybits=$(nssbits) |
165 |
+ ;; |
166 |
+ esac |
167 |
+ # bitness of host may differ from target |
168 |
+ if tc-is-cross-compiler; then |
169 |
+ buildbits=$(nssbits BUILD_) |
170 |
+ fi |
171 |
+ |
172 |
+ local makeargs=( |
173 |
+ CC="$(tc-getCC)" |
174 |
+ AR="$(tc-getAR) rc \$@" |
175 |
+ RANLIB="$(tc-getRANLIB)" |
176 |
+ OPTIMIZER= |
177 |
+ ${mybits} |
178 |
+ ) |
179 |
+ |
180 |
+ # Take care of nspr settings #436216 |
181 |
+ local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)" |
182 |
+ unset NSPR_INCLUDE_DIR |
183 |
+ |
184 |
+ # Do not let `uname` be used. |
185 |
+ if use kernel_linux ; then |
186 |
+ makeargs+=( |
187 |
+ OS_TARGET=Linux |
188 |
+ OS_RELEASE=2.6 |
189 |
+ OS_TEST="$(nssarch)" |
190 |
+ ) |
191 |
+ fi |
192 |
+ |
193 |
+ export NSS_ENABLE_WERROR=0 #567158 |
194 |
+ export BUILD_OPT=1 |
195 |
+ export NSS_USE_SYSTEM_SQLITE=1 |
196 |
+ export NSDISTMODE=copy |
197 |
+ export NSS_ENABLE_ECC=1 |
198 |
+ export FREEBL_NO_DEPEND=1 |
199 |
+ export ASFLAGS="" |
200 |
+ |
201 |
+ local d |
202 |
+ |
203 |
+ # Build the host tools first. |
204 |
+ LDFLAGS="${BUILD_LDFLAGS}" \ |
205 |
+ XCFLAGS="${BUILD_CFLAGS}" \ |
206 |
+ NSPR_LIB_DIR="${T}/fakedir" \ |
207 |
+ emake -j1 -C coreconf \ |
208 |
+ CC="$(tc-getBUILD_CC)" \ |
209 |
+ ${buildbits:-${mybits}} |
210 |
+ makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" ) |
211 |
+ |
212 |
+ # Then build the target tools. |
213 |
+ for d in . lib/dbm ; do |
214 |
+ CPPFLAGS="${myCPPFLAGS}" \ |
215 |
+ XCFLAGS="${CFLAGS} ${CPPFLAGS}" \ |
216 |
+ NSPR_LIB_DIR="${T}/fakedir" \ |
217 |
+ emake -j1 "${makeargs[@]}" -C ${d} |
218 |
+ done |
219 |
+} |
220 |
+ |
221 |
+# Altering these 3 libraries breaks the CHK verification. |
222 |
+# All of the following cause it to break: |
223 |
+# - stripping |
224 |
+# - prelink |
225 |
+# - ELF signing |
226 |
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html |
227 |
+# Either we have to NOT strip them, or we have to forcibly resign after |
228 |
+# stripping. |
229 |
+#local_libdir="$(get_libdir)" |
230 |
+#export STRIP_MASK=" |
231 |
+# */${local_libdir}/libfreebl3.so* |
232 |
+# */${local_libdir}/libnssdbm3.so* |
233 |
+# */${local_libdir}/libsoftokn3.so*" |
234 |
+ |
235 |
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" |
236 |
+ |
237 |
+generate_chk() { |
238 |
+ local shlibsign="$1" |
239 |
+ local libdir="$2" |
240 |
+ einfo "Resigning core NSS libraries for FIPS validation" |
241 |
+ shift 2 |
242 |
+ local i |
243 |
+ for i in ${NSS_CHK_SIGN_LIBS} ; do |
244 |
+ local libname=lib${i}.so |
245 |
+ local chkname=lib${i}.chk |
246 |
+ "${shlibsign}" \ |
247 |
+ -i "${libdir}"/${libname} \ |
248 |
+ -o "${libdir}"/${chkname}.tmp \ |
249 |
+ && mv -f \ |
250 |
+ "${libdir}"/${chkname}.tmp \ |
251 |
+ "${libdir}"/${chkname} \ |
252 |
+ || die "Failed to sign ${libname}" |
253 |
+ done |
254 |
+} |
255 |
+ |
256 |
+cleanup_chk() { |
257 |
+ local libdir="$1" |
258 |
+ shift 1 |
259 |
+ local i |
260 |
+ for i in ${NSS_CHK_SIGN_LIBS} ; do |
261 |
+ local libfname="${libdir}/lib${i}.so" |
262 |
+ # If the major version has changed, then we have old chk files. |
263 |
+ [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ |
264 |
+ && rm -f "${libfname}.chk" |
265 |
+ done |
266 |
+} |
267 |
+ |
268 |
+multilib_src_install() { |
269 |
+ pushd dist >/dev/null || die |
270 |
+ |
271 |
+ dodir /usr/$(get_libdir) |
272 |
+ cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed" |
273 |
+ cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed" |
274 |
+ cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed" |
275 |
+ |
276 |
+ # Install nss-config and pkgconfig file |
277 |
+ dodir /usr/bin |
278 |
+ cp -L */bin/nss-config "${ED}"/usr/bin || die |
279 |
+ dodir /usr/$(get_libdir)/pkgconfig |
280 |
+ cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die |
281 |
+ |
282 |
+ # create an nss-softokn.pc from nss.pc for libfreebl and some private headers |
283 |
+ # bug 517266 |
284 |
+ sed -e 's#Libs:#Libs: -lfreebl#' \ |
285 |
+ -e 's#Cflags:#Cflags: -I${includedir}/private#' \ |
286 |
+ */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \ |
287 |
+ || die "could not create nss-softokn.pc" |
288 |
+ |
289 |
+ # all the include files |
290 |
+ insinto /usr/include/nss |
291 |
+ doins public/nss/*.h |
292 |
+ insinto /usr/include/nss/private |
293 |
+ doins private/nss/{blapi,alghmac}.h |
294 |
+ |
295 |
+ popd >/dev/null || die |
296 |
+ |
297 |
+ local f nssutils |
298 |
+ # Always enabled because we need it for chk generation. |
299 |
+ nssutils="shlibsign" |
300 |
+ |
301 |
+ if multilib_is_native_abi ; then |
302 |
+ if use utils; then |
303 |
+ # The tests we do not need to install. |
304 |
+ #nssutils_test="bltest crmftest dbtest dertimetest |
305 |
+ #fipstest remtest sdrtest" |
306 |
+ nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert |
307 |
+ cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit |
308 |
+ nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode |
309 |
+ pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt |
310 |
+ symkeyutil tstclnt vfychain vfyserv" |
311 |
+ # install man-pages for utils (bug #516810) |
312 |
+ doman doc/nroff/*.1 |
313 |
+ fi |
314 |
+ pushd dist/*/bin >/dev/null || die |
315 |
+ for f in ${nssutils}; do |
316 |
+ dobin ${f} |
317 |
+ done |
318 |
+ popd >/dev/null || die |
319 |
+ fi |
320 |
+ |
321 |
+ # Prelink breaks the CHK files. We don't have any reliable way to run |
322 |
+ # shlibsign after prelink. |
323 |
+ dodir /etc/prelink.conf.d |
324 |
+ printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \ |
325 |
+ > "${ED}"/etc/prelink.conf.d/nss.conf |
326 |
+} |
327 |
+ |
328 |
+pkg_postinst() { |
329 |
+ multilib_pkg_postinst() { |
330 |
+ # We must re-sign the libraries AFTER they are stripped. |
331 |
+ local shlibsign="${EROOT}/usr/bin/shlibsign" |
332 |
+ # See if we can execute it (cross-compiling & such). #436216 |
333 |
+ "${shlibsign}" -h >&/dev/null |
334 |
+ if [[ $? -gt 1 ]] ; then |
335 |
+ shlibsign="shlibsign" |
336 |
+ fi |
337 |
+ generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir) |
338 |
+ } |
339 |
+ |
340 |
+ multilib_foreach_abi multilib_pkg_postinst |
341 |
+} |
342 |
+ |
343 |
+pkg_postrm() { |
344 |
+ multilib_pkg_postrm() { |
345 |
+ cleanup_chk "${EROOT}"/usr/$(get_libdir) |
346 |
+ } |
347 |
+ |
348 |
+ multilib_foreach_abi multilib_pkg_postrm |
349 |
+} |