Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Joonas Niilola <juippis@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/
Date: Sun, 05 Jun 2022 06:18:42
Message-Id: 1654409915.1ee8a8e476ad9d6c92c003cc7fa62d1c93b39e34.juippis@gentoo
1 commit: 1ee8a8e476ad9d6c92c003cc7fa62d1c93b39e34
2 Author: Joonas Niilola <juippis <AT> gentoo <DOT> org>
3 AuthorDate: Sun Jun 5 06:13:26 2022 +0000
4 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
5 CommitDate: Sun Jun 5 06:18:35 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ee8a8e4
7
8 dev-libs/nss: security cleanup
9
10 Bug: https://bugs.gentoo.org/848984
11 Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
12
13 dev-libs/nss/Manifest | 2 -
14 dev-libs/nss/nss-3.68.3.ebuild | 362 -----------------------------------------
15 dev-libs/nss/nss-3.78.ebuild | 361 ----------------------------------------
16 3 files changed, 725 deletions(-)
17
18 diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
19 index 4ea83ed8fb33..e889d96a707f 100644
20 --- a/dev-libs/nss/Manifest
21 +++ b/dev-libs/nss/Manifest
22 @@ -1,5 +1,3 @@
23 -DIST nss-3.68.3.tar.gz 82406947 BLAKE2B 92461f20294a9dce8c8a7eead9d06a4159e66afeb2d42a3313983fc5606a5f97321e038b9c25a7c7a361506910aee027ec91efd3096efdbf62096556d40896de SHA512 70fa8ab48d45249c04424979640583e8bc867432b7e3f26c1602db49a13861dd070f081ed82660bb7451f835dc859b5788ae12a67f9ddab1f6bd1a7afb1174d2
24 DIST nss-3.68.4.tar.gz 82409303 BLAKE2B a3cf572e82ce29dbc77e9356e0db425170f7294f1468755843746539663fe486089660e1c1b379d0184003d9ccf57db6cf0b2c161d7038301c1cb5028175b16d SHA512 f97b63a9f8218f8fbd7b5d48c084b8166366d02cd50aac69a22d56324d2fea01c49d074e51430bd128f510c733085f3f43c9739ce4073a07a5666675e0ef3b15
25 -DIST nss-3.78.tar.gz 84815720 BLAKE2B f140fb49e5edff98abdaae5d90adc5fac080cedfd2fcc2cc86968ac8f51116af648802655986a95dba8f1ca4257dca3c01d850bfd2b064abadea215cb9fd8c5e SHA512 ab54d838f41f963fdd4b87477b1e769186ae1f138f7c5d764cd6873be4791146d14dcc85697a2ca92e08f3bfcbeb61d64e26e7b5398095272c18a8196d43ac6c
26 DIST nss-3.79.tar.gz 84830113 BLAKE2B f558592bf0983d3c44f11e079512865d310b4f4c225bcc8e2058cb6a4a721d471c575965a1c2b5d0a130dcf27840da3d7b0ee8aa27fc63791414e22ef7804fa8 SHA512 d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d
27 DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4
28
29 diff --git a/dev-libs/nss/nss-3.68.3.ebuild b/dev-libs/nss/nss-3.68.3.ebuild
30 deleted file mode 100644
31 index a3ff3dba2827..000000000000
32 --- a/dev-libs/nss/nss-3.68.3.ebuild
33 +++ /dev/null
34 @@ -1,362 +0,0 @@
35 -# Copyright 1999-2022 Gentoo Authors
36 -# Distributed under the terms of the GNU General Public License v2
37 -
38 -EAPI=7
39 -
40 -inherit flag-o-matic multilib toolchain-funcs multilib-minimal
41 -
42 -NSPR_VER="4.32"
43 -RTM_NAME="NSS_${PV//./_}_RTM"
44 -
45 -DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
46 -HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
47 -SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
48 - cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
49 -
50 -LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
51 -SLOT="0"
52 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
53 -IUSE="cacert utils cpu_flags_ppc_altivec cpu_flags_ppc_vsx"
54 -# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
55 -RDEPEND="
56 - >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
57 - >=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
58 - >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
59 - virtual/pkgconfig
60 -"
61 -DEPEND="${RDEPEND}"
62 -BDEPEND="dev-lang/perl"
63 -
64 -RESTRICT="test"
65 -
66 -S="${WORKDIR}/${P}/${PN}"
67 -
68 -MULTILIB_CHOST_TOOLS=(
69 - /usr/bin/nss-config
70 -)
71 -
72 -PATCHES=(
73 - # Custom changes for gentoo
74 - "${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
75 - "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
76 - "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
77 - "${FILESDIR}/nss-3.68-ld-fix.patch"
78 -)
79 -
80 -src_prepare() {
81 - default
82 -
83 - if use cacert ; then
84 - eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
85 - fi
86 -
87 - pushd coreconf >/dev/null || die
88 - # hack nspr paths
89 - echo 'INCLUDES += -I$(DIST)/include/dbm' \
90 - >> headers.mk || die "failed to append include"
91 -
92 - # modify install path
93 - sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
94 - -i source.mk || die
95 -
96 - # Respect LDFLAGS
97 - sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
98 - popd >/dev/null || die
99 -
100 - # Fix pkgconfig file for Prefix
101 - sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
102 - config/Makefile || die
103 -
104 - # use host shlibsign if need be #436216
105 - if tc-is-cross-compiler ; then
106 - sed -i \
107 - -e 's:"${2}"/shlibsign:shlibsign:' \
108 - cmd/shlibsign/sign.sh || die
109 - fi
110 -
111 - # dirty hack
112 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
113 - lib/ssl/config.mk || die
114 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
115 - cmd/platlibs.mk || die
116 -
117 - multilib_copy_sources
118 -
119 - strip-flags
120 -}
121 -
122 -multilib_src_configure() {
123 - # Ensure we stay multilib aware
124 - sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
125 -}
126 -
127 -nssarch() {
128 - # Most of the arches are the same as $ARCH
129 - local t=${1:-${CHOST}}
130 - case ${t} in
131 - *86*-pc-solaris2*) echo "i86pc" ;;
132 - aarch64*) echo "aarch64" ;;
133 - hppa*) echo "parisc" ;;
134 - i?86*) echo "i686" ;;
135 - x86_64*) echo "x86_64" ;;
136 - *) tc-arch ${t} ;;
137 - esac
138 -}
139 -
140 -nssbits() {
141 - local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
142 - if [[ ${1} == BUILD_ ]]; then
143 - cc=$(tc-getBUILD_CC)
144 - else
145 - cc=$(tc-getCC)
146 - fi
147 - echo > "${T}"/test.c || die
148 - ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
149 - case $(file "${T}/${1}test.o") in
150 - *32-bit*x86-64*) echo USE_X32=1;;
151 - *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
152 - *32-bit*|*ppc*|*i386*) ;;
153 - *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
154 - esac
155 -}
156 -
157 -multilib_src_compile() {
158 - # use ABI to determine bit'ness, or fallback if unset
159 - local buildbits mybits
160 - case "${ABI}" in
161 - n32) mybits="USE_N32=1";;
162 - x32) mybits="USE_X32=1";;
163 - s390x|*64) mybits="USE_64=1";;
164 - ${DEFAULT_ABI})
165 - einfo "Running compilation test to determine bit'ness"
166 - mybits=$(nssbits)
167 - ;;
168 - esac
169 - # bitness of host may differ from target
170 - if tc-is-cross-compiler; then
171 - buildbits=$(nssbits BUILD_)
172 - fi
173 -
174 - local makeargs=(
175 - CC="$(tc-getCC)"
176 - CCC="$(tc-getCXX)"
177 - AR="$(tc-getAR) rc \$@"
178 - RANLIB="$(tc-getRANLIB)"
179 - OPTIMIZER=
180 - ${mybits}
181 - )
182 -
183 - # Take care of nspr settings #436216
184 - local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
185 - unset NSPR_INCLUDE_DIR
186 -
187 - export NSS_ALLOW_SSLKEYLOGFILE=1
188 - export NSS_ENABLE_WERROR=0 #567158
189 - export BUILD_OPT=1
190 - export NSS_USE_SYSTEM_SQLITE=1
191 - export NSDISTMODE=copy
192 - export FREEBL_NO_DEPEND=1
193 - export FREEBL_LOWHASH=1
194 - export NSS_SEED_ONLY_DEV_URANDOM=1
195 - export USE_SYSTEM_ZLIB=1
196 - export ZLIB_LIBS=-lz
197 - export ASFLAGS=""
198 - # Fix build failure on arm64
199 - export NS_USE_GCC=1
200 - # Detect compiler type and set proper environment value
201 - if tc-is-gcc; then
202 - export CC_IS_GCC=1
203 - elif tc-is-clang; then
204 - export CC_IS_CLANG=1
205 - fi
206 -
207 - # explicitly disable altivec/vsx if not requested
208 - # https://bugs.gentoo.org/789114
209 - case ${ARCH} in
210 - ppc*)
211 - use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
212 - use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
213 - ;;
214 - esac
215 -
216 - local d
217 -
218 - # Build the host tools first.
219 - LDFLAGS="${BUILD_LDFLAGS}" \
220 - XCFLAGS="${BUILD_CFLAGS}" \
221 - NSPR_LIB_DIR="${T}/fakedir" \
222 - emake -j1 -C coreconf \
223 - CC="$(tc-getBUILD_CC)" \
224 - ${buildbits-${mybits}}
225 - makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
226 -
227 - # Then build the target tools.
228 - for d in . lib/dbm ; do
229 - CPPFLAGS="${myCPPFLAGS}" \
230 - XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
231 - NSPR_LIB_DIR="${T}/fakedir" \
232 - emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
233 - done
234 -}
235 -
236 -# Altering these 3 libraries breaks the CHK verification.
237 -# All of the following cause it to break:
238 -# - stripping
239 -# - prelink
240 -# - ELF signing
241 -# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
242 -# Either we have to NOT strip them, or we have to forcibly resign after
243 -# stripping.
244 -#local_libdir="$(get_libdir)"
245 -#export STRIP_MASK="
246 -# */${local_libdir}/libfreebl3.so*
247 -# */${local_libdir}/libnssdbm3.so*
248 -# */${local_libdir}/libsoftokn3.so*"
249 -
250 -export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
251 -
252 -generate_chk() {
253 - local shlibsign="$1"
254 - local libdir="$2"
255 - einfo "Resigning core NSS libraries for FIPS validation"
256 - shift 2
257 - local i
258 - for i in ${NSS_CHK_SIGN_LIBS} ; do
259 - local libname=lib${i}.so
260 - local chkname=lib${i}.chk
261 - "${shlibsign}" \
262 - -i "${libdir}"/${libname} \
263 - -o "${libdir}"/${chkname}.tmp \
264 - && mv -f \
265 - "${libdir}"/${chkname}.tmp \
266 - "${libdir}"/${chkname} \
267 - || die "Failed to sign ${libname}"
268 - done
269 -}
270 -
271 -cleanup_chk() {
272 - local libdir="$1"
273 - shift 1
274 - local i
275 - for i in ${NSS_CHK_SIGN_LIBS} ; do
276 - local libfname="${libdir}/lib${i}.so"
277 - # If the major version has changed, then we have old chk files.
278 - [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
279 - && rm -f "${libfname}.chk"
280 - done
281 -}
282 -
283 -multilib_src_install() {
284 - pushd dist >/dev/null || die
285 -
286 - dodir /usr/$(get_libdir)
287 - cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
288 - local i
289 - for i in crmf freebl nssb nssckfw ; do
290 - cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
291 - done
292 -
293 - # Install nss-config and pkgconfig file
294 - dodir /usr/bin
295 - cp -L */bin/nss-config "${ED}"/usr/bin || die
296 - dodir /usr/$(get_libdir)/pkgconfig
297 - cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
298 -
299 - # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
300 - # bug 517266
301 - sed -e 's#Libs:#Libs: -lfreebl#' \
302 - -e 's#Cflags:#Cflags: -I${includedir}/private#' \
303 - */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
304 - || die "could not create nss-softokn.pc"
305 -
306 - # all the include files
307 - insinto /usr/include/nss
308 - doins public/nss/*.{h,api}
309 - insinto /usr/include/nss/private
310 - doins private/nss/{blapi,alghmac,cmac}.h
311 -
312 - popd >/dev/null || die
313 -
314 - local f nssutils
315 - # Always enabled because we need it for chk generation.
316 - nssutils=( shlibsign )
317 -
318 - if multilib_is_native_abi ; then
319 - if use utils; then
320 - # The tests we do not need to install.
321 - #nssutils_test="bltest crmftest dbtest dertimetest
322 - #fipstest remtest sdrtest"
323 - # checkcert utils has been removed in nss-3.22:
324 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
325 - # https://hg.mozilla.org/projects/nss/rev/df1729d37870
326 - # certcgi has been removed in nss-3.36:
327 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
328 - nssutils+=(
329 - addbuiltin
330 - atob
331 - baddbdir
332 - btoa
333 - certutil
334 - cmsutil
335 - conflict
336 - crlutil
337 - derdump
338 - digest
339 - makepqg
340 - mangle
341 - modutil
342 - multinit
343 - nonspr10
344 - ocspclnt
345 - oidcalc
346 - p7content
347 - p7env
348 - p7sign
349 - p7verify
350 - pk11mode
351 - pk12util
352 - pp
353 - rsaperf
354 - selfserv
355 - signtool
356 - signver
357 - ssltap
358 - strsclnt
359 - symkeyutil
360 - tstclnt
361 - vfychain
362 - vfyserv
363 - )
364 - # install man-pages for utils (bug #516810)
365 - doman doc/nroff/*.1
366 - fi
367 - pushd dist/*/bin >/dev/null || die
368 - for f in ${nssutils[@]}; do
369 - dobin ${f}
370 - done
371 - popd >/dev/null || die
372 - fi
373 -}
374 -
375 -pkg_postinst() {
376 - multilib_pkg_postinst() {
377 - # We must re-sign the libraries AFTER they are stripped.
378 - local shlibsign="${EROOT}/usr/bin/shlibsign"
379 - # See if we can execute it (cross-compiling & such). #436216
380 - "${shlibsign}" -h >&/dev/null
381 - if [[ $? -gt 1 ]] ; then
382 - shlibsign="shlibsign"
383 - fi
384 - generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
385 - }
386 -
387 - multilib_foreach_abi multilib_pkg_postinst
388 -}
389 -
390 -pkg_postrm() {
391 - multilib_pkg_postrm() {
392 - cleanup_chk "${EROOT}"/usr/$(get_libdir)
393 - }
394 -
395 - multilib_foreach_abi multilib_pkg_postrm
396 -}
397
398 diff --git a/dev-libs/nss/nss-3.78.ebuild b/dev-libs/nss/nss-3.78.ebuild
399 deleted file mode 100644
400 index 07756d89615d..000000000000
401 --- a/dev-libs/nss/nss-3.78.ebuild
402 +++ /dev/null
403 @@ -1,361 +0,0 @@
404 -# Copyright 1999-2022 Gentoo Authors
405 -# Distributed under the terms of the GNU General Public License v2
406 -
407 -EAPI=8
408 -
409 -inherit flag-o-matic multilib toolchain-funcs multilib-minimal
410 -
411 -NSPR_VER="4.32"
412 -RTM_NAME="NSS_${PV//./_}_RTM"
413 -
414 -DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
415 -HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
416 -SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
417 - cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
418 -
419 -LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
420 -SLOT="0"
421 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
422 -IUSE="cacert utils cpu_flags_ppc_altivec cpu_flags_ppc_vsx"
423 -# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
424 -RDEPEND="
425 - >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
426 - >=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
427 - >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
428 - virtual/pkgconfig
429 -"
430 -DEPEND="${RDEPEND}"
431 -BDEPEND="dev-lang/perl"
432 -
433 -RESTRICT="test"
434 -
435 -S="${WORKDIR}/${P}/${PN}"
436 -
437 -MULTILIB_CHOST_TOOLS=(
438 - /usr/bin/nss-config
439 -)
440 -
441 -PATCHES=(
442 - # Custom changes for gentoo
443 - "${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
444 - "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
445 - "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
446 -)
447 -
448 -src_prepare() {
449 - default
450 -
451 - if use cacert ; then
452 - eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
453 - fi
454 -
455 - pushd coreconf >/dev/null || die
456 - # hack nspr paths
457 - echo 'INCLUDES += -I$(DIST)/include/dbm' \
458 - >> headers.mk || die "failed to append include"
459 -
460 - # modify install path
461 - sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
462 - -i source.mk || die
463 -
464 - # Respect LDFLAGS
465 - sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
466 - popd >/dev/null || die
467 -
468 - # Fix pkgconfig file for Prefix
469 - sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
470 - config/Makefile || die
471 -
472 - # use host shlibsign if need be #436216
473 - if tc-is-cross-compiler ; then
474 - sed -i \
475 - -e 's:"${2}"/shlibsign:shlibsign:' \
476 - cmd/shlibsign/sign.sh || die
477 - fi
478 -
479 - # dirty hack
480 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
481 - lib/ssl/config.mk || die
482 - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
483 - cmd/platlibs.mk || die
484 -
485 - multilib_copy_sources
486 -
487 - strip-flags
488 -}
489 -
490 -multilib_src_configure() {
491 - # Ensure we stay multilib aware
492 - sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
493 -}
494 -
495 -nssarch() {
496 - # Most of the arches are the same as $ARCH
497 - local t=${1:-${CHOST}}
498 - case ${t} in
499 - *86*-pc-solaris2*) echo "i86pc" ;;
500 - aarch64*) echo "aarch64" ;;
501 - hppa*) echo "parisc" ;;
502 - i?86*) echo "i686" ;;
503 - x86_64*) echo "x86_64" ;;
504 - *) tc-arch ${t} ;;
505 - esac
506 -}
507 -
508 -nssbits() {
509 - local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
510 - if [[ ${1} == BUILD_ ]]; then
511 - cc=$(tc-getBUILD_CC)
512 - else
513 - cc=$(tc-getCC)
514 - fi
515 - echo > "${T}"/test.c || die
516 - ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
517 - case $(file "${T}/${1}test.o") in
518 - *32-bit*x86-64*) echo USE_X32=1;;
519 - *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
520 - *32-bit*|*ppc*|*i386*) ;;
521 - *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
522 - esac
523 -}
524 -
525 -multilib_src_compile() {
526 - # use ABI to determine bit'ness, or fallback if unset
527 - local buildbits mybits
528 - case "${ABI}" in
529 - n32) mybits="USE_N32=1";;
530 - x32) mybits="USE_X32=1";;
531 - s390x|*64) mybits="USE_64=1";;
532 - ${DEFAULT_ABI})
533 - einfo "Running compilation test to determine bit'ness"
534 - mybits=$(nssbits)
535 - ;;
536 - esac
537 - # bitness of host may differ from target
538 - if tc-is-cross-compiler; then
539 - buildbits=$(nssbits BUILD_)
540 - fi
541 -
542 - local makeargs=(
543 - CC="$(tc-getCC)"
544 - CCC="$(tc-getCXX)"
545 - AR="$(tc-getAR) rc \$@"
546 - RANLIB="$(tc-getRANLIB)"
547 - OPTIMIZER=
548 - ${mybits}
549 - )
550 -
551 - # Take care of nspr settings #436216
552 - local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
553 - unset NSPR_INCLUDE_DIR
554 -
555 - export NSS_ALLOW_SSLKEYLOGFILE=1
556 - export NSS_ENABLE_WERROR=0 #567158
557 - export BUILD_OPT=1
558 - export NSS_USE_SYSTEM_SQLITE=1
559 - export NSDISTMODE=copy
560 - export FREEBL_NO_DEPEND=1
561 - export FREEBL_LOWHASH=1
562 - export NSS_SEED_ONLY_DEV_URANDOM=1
563 - export USE_SYSTEM_ZLIB=1
564 - export ZLIB_LIBS=-lz
565 - export ASFLAGS=""
566 - # Fix build failure on arm64
567 - export NS_USE_GCC=1
568 - # Detect compiler type and set proper environment value
569 - if tc-is-gcc; then
570 - export CC_IS_GCC=1
571 - elif tc-is-clang; then
572 - export CC_IS_CLANG=1
573 - fi
574 -
575 - # explicitly disable altivec/vsx if not requested
576 - # https://bugs.gentoo.org/789114
577 - case ${ARCH} in
578 - ppc*)
579 - use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
580 - use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
581 - ;;
582 - esac
583 -
584 - local d
585 -
586 - # Build the host tools first.
587 - LDFLAGS="${BUILD_LDFLAGS}" \
588 - XCFLAGS="${BUILD_CFLAGS}" \
589 - NSPR_LIB_DIR="${T}/fakedir" \
590 - emake -j1 -C coreconf \
591 - CC="$(tc-getBUILD_CC)" \
592 - ${buildbits-${mybits}}
593 - makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
594 -
595 - # Then build the target tools.
596 - for d in . lib/dbm ; do
597 - CPPFLAGS="${myCPPFLAGS}" \
598 - XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
599 - NSPR_LIB_DIR="${T}/fakedir" \
600 - emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
601 - done
602 -}
603 -
604 -# Altering these 3 libraries breaks the CHK verification.
605 -# All of the following cause it to break:
606 -# - stripping
607 -# - prelink
608 -# - ELF signing
609 -# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
610 -# Either we have to NOT strip them, or we have to forcibly resign after
611 -# stripping.
612 -#local_libdir="$(get_libdir)"
613 -#export STRIP_MASK="
614 -# */${local_libdir}/libfreebl3.so*
615 -# */${local_libdir}/libnssdbm3.so*
616 -# */${local_libdir}/libsoftokn3.so*"
617 -
618 -export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
619 -
620 -generate_chk() {
621 - local shlibsign="$1"
622 - local libdir="$2"
623 - einfo "Resigning core NSS libraries for FIPS validation"
624 - shift 2
625 - local i
626 - for i in ${NSS_CHK_SIGN_LIBS} ; do
627 - local libname=lib${i}.so
628 - local chkname=lib${i}.chk
629 - "${shlibsign}" \
630 - -i "${libdir}"/${libname} \
631 - -o "${libdir}"/${chkname}.tmp \
632 - && mv -f \
633 - "${libdir}"/${chkname}.tmp \
634 - "${libdir}"/${chkname} \
635 - || die "Failed to sign ${libname}"
636 - done
637 -}
638 -
639 -cleanup_chk() {
640 - local libdir="$1"
641 - shift 1
642 - local i
643 - for i in ${NSS_CHK_SIGN_LIBS} ; do
644 - local libfname="${libdir}/lib${i}.so"
645 - # If the major version has changed, then we have old chk files.
646 - [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
647 - && rm -f "${libfname}.chk"
648 - done
649 -}
650 -
651 -multilib_src_install() {
652 - pushd dist >/dev/null || die
653 -
654 - dodir /usr/$(get_libdir)
655 - cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
656 - local i
657 - for i in crmf freebl nssb nssckfw ; do
658 - cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
659 - done
660 -
661 - # Install nss-config and pkgconfig file
662 - dodir /usr/bin
663 - cp -L */bin/nss-config "${ED}"/usr/bin || die
664 - dodir /usr/$(get_libdir)/pkgconfig
665 - cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
666 -
667 - # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
668 - # bug 517266
669 - sed -e 's#Libs:#Libs: -lfreebl#' \
670 - -e 's#Cflags:#Cflags: -I${includedir}/private#' \
671 - */lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
672 - || die "could not create nss-softokn.pc"
673 -
674 - # all the include files
675 - insinto /usr/include/nss
676 - doins public/nss/*.{h,api}
677 - insinto /usr/include/nss/private
678 - doins private/nss/{blapi,alghmac,cmac}.h
679 -
680 - popd >/dev/null || die
681 -
682 - local f nssutils
683 - # Always enabled because we need it for chk generation.
684 - nssutils=( shlibsign )
685 -
686 - if multilib_is_native_abi ; then
687 - if use utils; then
688 - # The tests we do not need to install.
689 - #nssutils_test="bltest crmftest dbtest dertimetest
690 - #fipstest remtest sdrtest"
691 - # checkcert utils has been removed in nss-3.22:
692 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
693 - # https://hg.mozilla.org/projects/nss/rev/df1729d37870
694 - # certcgi has been removed in nss-3.36:
695 - # https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
696 - nssutils+=(
697 - addbuiltin
698 - atob
699 - baddbdir
700 - btoa
701 - certutil
702 - cmsutil
703 - conflict
704 - crlutil
705 - derdump
706 - digest
707 - makepqg
708 - mangle
709 - modutil
710 - multinit
711 - nonspr10
712 - ocspclnt
713 - oidcalc
714 - p7content
715 - p7env
716 - p7sign
717 - p7verify
718 - pk11mode
719 - pk12util
720 - pp
721 - rsaperf
722 - selfserv
723 - signtool
724 - signver
725 - ssltap
726 - strsclnt
727 - symkeyutil
728 - tstclnt
729 - vfychain
730 - vfyserv
731 - )
732 - # install man-pages for utils (bug #516810)
733 - doman doc/nroff/*.1
734 - fi
735 - pushd dist/*/bin >/dev/null || die
736 - for f in ${nssutils[@]}; do
737 - dobin ${f}
738 - done
739 - popd >/dev/null || die
740 - fi
741 -}
742 -
743 -pkg_postinst() {
744 - multilib_pkg_postinst() {
745 - # We must re-sign the libraries AFTER they are stripped.
746 - local shlibsign="${EROOT}/usr/bin/shlibsign"
747 - # See if we can execute it (cross-compiling & such). #436216
748 - "${shlibsign}" -h >&/dev/null
749 - if [[ $? -gt 1 ]] ; then
750 - shlibsign="shlibsign"
751 - fi
752 - generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
753 - }
754 -
755 - multilib_foreach_abi multilib_pkg_postinst
756 -}
757 -
758 -pkg_postrm() {
759 - multilib_pkg_postrm() {
760 - cleanup_chk "${EROOT}"/usr/$(get_libdir)
761 - }
762 -
763 - multilib_foreach_abi multilib_pkg_postrm
764 -}
Report Message
Find on MARC Find on Google Groups