Skip to content

Commit

Permalink
dev-libs/nss: Bump to version 3.22
Browse files Browse the repository at this point in the history 
Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler <[email protected]>
  • Loading branch information
Lars Wendler committed Feb 15, 2016
1 parent db3a807 commit 55fbe59
Show file tree
Hide file tree
Showing 2 changed files with 329 additions and 0 deletions.
1 change: 1 addition & 0 deletions dev-libs/nss/Manifest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@ DIST nss-3.19.2.tar.gz 6953657 SHA256 1306663e8f61d8449ad8cbcffab743a604dcd9f6f3
DIST nss-3.20.1.tar.gz 6958956 SHA256 ad3c8f11dfd9570c2d04a6140d5ef7c2bdd0fe30d6c9e5548721a4251a5e8c97 SHA512 c8db693a81b8ddb4d2a742c2fce3f23dd40736e54c55c0de072f84572fcdad8fb7646e4b8ea696e4c97ea6c9cb0fa144f573f8776c2839eb25c4075b50d01d74 WHIRLPOOL 3d4667b243ba6ac596ea7e9936bf9cba7aa1b9767fd19b53352c3a9a9eef0f1a0a9e7da719634dbc9dfcc087d187d5e774ae351c1e57545e8b8c1f40e41e42e6
DIST nss-3.20.tar.gz 6955552 SHA256 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c SHA512 50f666209cadd4e463f98643ec67e35f4d1b88381e17db9eed7c67559b19799fcc27e49d72536f546d4c45bca2afa4664e5590f868775a4397a77111d68fc366 WHIRLPOOL 84f20e6764b3621762fcfcb9223a3861e1f5ff02078b19b7df2eb58430a5f96943d962dca2d3366b18cd434acf3d3be746242c5064497167d5671c50233834de
DIST nss-3.21.tar.gz 6978112 SHA256 3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239 SHA512 0645465b5d1ab05d819355a3f4a2879499539a00d95bfab3ca14a7dcd901e510b5d9ae797386ff5a42f68b0b57f7bbec4ec9d3a85ebd508eb824aba1fb589d53 WHIRLPOOL 7504d83de606d61840e06cb855ea688eb022d5eef062bcb7ac4d1064db96b96e35ae4ce0aff9d389a2140a7c3b974aaa9a86ada52af1199d462fdb48b11b42e4
DIST nss-3.22.tar.gz 6992347 SHA256 30ebd121c77e725a1383618eff79a6752d6e9f0f21882ad825ddab12e7227611 SHA512 f97251a17ad4ea889878ffeba64f19560978cf82c512b84c301be248ee4fe764345838fb8a88233b0fe12abe7bf78ce521a6ac64fa8d16bd0e1283eac9c17be1 WHIRLPOOL 8e128f3c8eb411c6569bd6d4d1edb55041e214913669687a5481d16f9aff245d3fc827f9a8c96e4723b3f0ec127d4461a1cda247dc296d9dce34513c7ab7e43d
DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256 50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512 0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501 WHIRLPOOL 279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
DIST nss-pem-20140125.tar.bz2 28805 SHA256 62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39 WHIRLPOOL 3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62
328 changes: 328 additions & 0 deletions dev-libs/nss/nss-3.22.ebuild
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,328 @@
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$

EAPI="5"

inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal

NSPR_VER="4.10.8"
RTM_NAME="NSS_${PV//./_}_RTM"
# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
PEM_P="${PN}-pem-20140125"

DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"

LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
IUSE="+cacert +nss-pem utils"
CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
${CDEPEND}"
RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
${CDEPEND}
abi_x86_32? (
!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
)"

RESTRICT="test"

S="${WORKDIR}/${P}/${PN}"

MULTILIB_CHOST_TOOLS=(
/usr/bin/nss-config
)

src_unpack() {
unpack ${A}
if use nss-pem ; then
mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
fi
}

src_prepare() {
# Custom changes for gentoo
epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
epatch "${FILESDIR}/${PN}-3.21-hppa-byte_order.patch"

if use cacert ; then
epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462
fi
use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \
"${FILESDIR}/${PN}-3.21-pem-werror.patch"

pushd coreconf >/dev/null || die
# hack nspr paths
echo 'INCLUDES += -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"

# modify install path
sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die

# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
popd >/dev/null || die

# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
config/Makefile || die

# use host shlibsign if need be #436216
if tc-is-cross-compiler ; then
sed -i \
-e 's:"${2}"/shlibsign:shlibsign:' \
cmd/shlibsign/sign.sh || die
fi

# dirty hack
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die

multilib_copy_sources

strip-flags
}

multilib_src_configure() {
# Ensure we stay multilib aware
sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
}

nssarch() {
# Most of the arches are the same as $ARCH
local t=${1:-${CHOST}}
case ${t} in
aarch64*)echo "aarch64";;
hppa*) echo "parisc";;
i?86*) echo "i686";;
x86_64*) echo "x86_64";;
*) tc-arch ${t};;
esac
}

nssbits() {
local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
if [[ ${1} == BUILD_ ]]; then
cc=$(tc-getBUILD_CC)
else
cc=$(tc-getCC)
fi
echo > "${T}"/test.c || die
${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
case $(file "${T}/${1}test.o") in
*32-bit*x86-64*) echo USE_X32=1;;
*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
esac
}

multilib_src_compile() {
# use ABI to determine bit'ness, or fallback if unset
local buildbits mybits
case "${ABI}" in
n32) mybits="USE_N32=1";;
x32) mybits="USE_X32=1";;
s390x|*64) mybits="USE_64=1";;
${DEFAULT_ABI})
einfo "Running compilation test to determine bit'ness"
mybits=$(nssbits)
;;
esac
# bitness of host may differ from target
if tc-is-cross-compiler; then
buildbits=$(nssbits BUILD_)
fi

local makeargs=(
CC="$(tc-getCC)"
AR="$(tc-getAR) rc \$@"
RANLIB="$(tc-getRANLIB)"
OPTIMIZER=
${mybits}
)

# Take care of nspr settings #436216
local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
unset NSPR_INCLUDE_DIR

# Do not let `uname` be used.
if use kernel_linux ; then
makeargs+=(
OS_TARGET=Linux
OS_RELEASE=2.6
OS_TEST="$(nssarch)"
)
fi

export NSS_ENABLE_WERROR=0 #567158
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export NSS_ENABLE_ECC=1
export FREEBL_NO_DEPEND=1
export ASFLAGS=""

local d

# Build the host tools first.
LDFLAGS="${BUILD_LDFLAGS}" \
XCFLAGS="${BUILD_CFLAGS}" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -j1 -C coreconf \
CC="$(tc-getBUILD_CC)" \
${buildbits:-${mybits}}
makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )

# Then build the target tools.
for d in . lib/dbm ; do
CPPFLAGS="${myCPPFLAGS}" \
XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -j1 "${makeargs[@]}" -C ${d}
done
}

# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"

export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"

generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}

cleanup_chk() {
local libdir="$1"
shift 1
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}

multilib_src_install() {
pushd dist >/dev/null || die

dodir /usr/$(get_libdir)
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"

# Install nss-config and pkgconfig file
dodir /usr/bin
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die

# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
# bug 517266
sed -e 's#Libs:#Libs: -lfreebl#' \
-e 's#Cflags:#Cflags: -I${includedir}/private#' \
*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
|| die "could not create nss-softokn.pc"

# all the include files
insinto /usr/include/nss
doins public/nss/*.h
insinto /usr/include/nss/private
doins private/nss/{blapi,alghmac}.h

popd >/dev/null || die

local f nssutils
# Always enabled because we need it for chk generation.
nssutils="shlibsign"

if multilib_is_native_abi ; then
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
symkeyutil tstclnt vfychain vfyserv"
# install man-pages for utils (bug #516810)
doman doc/nroff/*.1
fi
pushd dist/*/bin >/dev/null || die
for f in ${nssutils}; do
dobin ${f}
done
popd >/dev/null || die
fi

# Prelink breaks the CHK files. We don't have any reliable way to run
# shlibsign after prelink.
dodir /etc/prelink.conf.d
printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
> "${ED}"/etc/prelink.conf.d/nss.conf
}

pkg_postinst() {
multilib_pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
local shlibsign="${EROOT}/usr/bin/shlibsign"
# See if we can execute it (cross-compiling & such). #436216
"${shlibsign}" -h >&/dev/null
if [[ $? -gt 1 ]] ; then
shlibsign="shlibsign"
fi
generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
}

multilib_foreach_abi multilib_pkg_postinst
}

pkg_postrm() {
multilib_pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}

multilib_foreach_abi multilib_pkg_postrm
}

0 comments on commit 55fbe59

Please sign in to comment.