gentoo-mirror/gentoo
1
0
Fork 0
mirror of https://github.com/gentoo-mirror/gentoo.git synced 2026-01-06 02:17:34 -08:00
Code Issues Projects Releases Wiki Activity

dev-libs/nss: drop 3.101.2, 3.112, 3.113, 3.113.1

Browse Source 
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
This commit is contained in:
Joonas Niilola 2025-07-26 09:39:39 +03:00
parent 758b7b0b3c
commit a5c12f4a1a
No known key found for this signature in database
GPG Key ID: 7383942B8DC06962
5 changed files with 0 additions and 1780 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dev-libs/nss/Manifest
View File

@ -1,9 +1,5 @@
DIST nss-3.101-cacert-class1-class3.patch 21925 BLAKE2B 2b37f6b69e0541f31087ff0401b195c035f4b607865c4d29976e4ad2c8143321d65b41b996e922362e076aa8259304ed67b0c4a1f8df2fdfdb1d893319f5d5e7 SHA512 19438aefbb361881c1b4620d8b1b5e7d2bf5afb44900858d3728ff6999a792bf6fe073a11f591ab70461bee8c54fdfb097e4084b402842bc49d2139897de304d
DIST nss-3.101.2.tar.gz 76462495 BLAKE2B 3a0dfd7aa68bc11f332decfc9cb7003b8d8fa6a9dad556ad736229d7d3847e68aeaf5b74e68989a0483bd1b9e2e3afd3bdf8df3d428ebc815eda9a255f5695aa SHA512 65ac338ee1b13ecc2b190f1ea39c987110a06f3b67610e094ffc1ef4117d487c34af1e11b90de0c28035bfc5cb10ca7996ed991d9afce7985973fabb48cd7ac8
DIST nss-3.101.3.tar.gz 76462813 BLAKE2B 03a38804da9e9df79df6c06ebd8b4d5f185cc841d10cd81239f0b3e55ddec3c1ac2b626850004f8d78ea698c8c4d55dbb4adcae9d58fd3890526300c15be96a3 SHA512 105be3ce7b34221ae16a681db12291d08b19fe6f9557bd975627570b5de92d3e2349b16453cca07675483efa0a72e41995750171f08a0d6bac61de2ac3b05850
DIST nss-3.101.4.tar.gz 76462465 BLAKE2B 199f336bf8bbeede27a9dd13fc170565d4f38ea7272e566f90acec6df1fef785eb82efffe352a417f8150760151be6674db5a2398b92f5ec98f092492c0104bd SHA512 d28442bd99620af549608d94f29bc987b1383659338ac114035518921649bf6c4cb39e59fa9be420bcaf851e7703f4d9f9f70aea0f80620fdee8df629804fd24
DIST nss-3.104-cacert-class1-class3.patch 22038 BLAKE2B 66e2dd47230d6aa58a767e35c9c069fa29f3111d470345e0f69486d1eead3cd1741939ac394f6b9b637e79a10d658cfb1a9da4387953b8968a9001bab94d4de0 SHA512 bafc4212e0e0ca3eb129a5b88767727159c6ec3da450c7625d0b282f82699378d64eaa2c3fecb72c61000ec9b6d3c24f20bc7defdac6edc673e0fbb26e0c1f7e
DIST nss-3.112.tar.gz 76620428 BLAKE2B 0de17bfe86ac9e752c4f0c5a4f6db217a74e460850bf79d9bf1fc1b1b2279ad80fb8c4591bea0642d23fa532e71fdb8382ae1dbc797a3a14303439d1aa4868a6 SHA512 564ae4ded323d7213f224673b0ddc584dcfae71bbdd139310854e547d9ba2877ba45462da49f71ea2fae72caea1cf10fa51d9dfef656a21957256cadc5fa4b35
DIST nss-3.113.1.tar.gz 76626220 BLAKE2B a055df90949dc8001203f3154ca3b2b2e90e95a3739a7c2a22dd9aefc0567dd27978dfe25e92afab2ac8b2763eac70e50e51db59abd19c84b4b1b70201a8edfb SHA512 5ffb1182e7d65f8895c09656d20bc7146d1616cd4f09046469b2f79f60b57083094c78da39a3f3faa5087742a19f706ce9e7928a662f9f0d3c410514cba2028f
DIST nss-3.113.tar.gz 76625834 BLAKE2B 6efcc588389378a88697913b5fb00da726361e957834edf9413cc91b29f5a138fb7d2b669a959cf84dfe8b644a19688a14a756b81ee078341631a05c299da62b SHA512 236196965aeb05aab90bf14406fcf8ee95641e466049305e2961e1caa2712bd8f5c58a238ad0c3d419c093b8a88d721cc029f38dd2462bc49c5c4922c0d27f74
DIST nss-3.114.tar.gz 76653541 BLAKE2B 3ba37f3df407d2dd077b9ec0270be9becebd3137705e2dd58553dcbd79327f382ed4c9d17349f0792e554e41a8e843eb74a4681495bf00c6a69dae46b26babeb SHA512 9c9af5c117dea2d89bb093f9a73d9a431ce4eebcfea9295aa37a27a7afb242d353e6904fee7ae69cdb64949bd0ddb685880098553c7d5ac1aac39ea388a2a2d3

432
dev-libs/nss/nss-3.101.2.ebuild
View File

@ -1,432 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit flag-o-matic multilib toolchain-funcs multilib-minimal
NSPR_VER="4.35"
RTM_NAME="NSS_${PV//./_}_RTM"
DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
cacert? ( https://dev.gentoo.org/~juippis/mozilla/patchsets/nss-3.101-cacert-class1-class3.patch )"
LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~x64-solaris"
IUSE="cacert test +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
RESTRICT="!test? ( test )"
# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
RDEPEND="
>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
virtual/pkgconfig
"
DEPEND="${RDEPEND}"
BDEPEND="dev-lang/perl"
S="${WORKDIR}/${P}/${PN}"
MULTILIB_CHOST_TOOLS=(
/usr/bin/nss-config
)
PATCHES=(
"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
)
src_prepare() {
default
if use cacert ; then
eapply -p2 "${DISTDIR}"/nss-3.101-cacert-class1-class3.patch
fi
pushd coreconf >/dev/null || die
# hack nspr paths
echo 'INCLUDES += -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"
# modify install path
sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
popd >/dev/null || die
# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
config/Makefile || die
# use host shlibsign if need be #436216
if tc-is-cross-compiler ; then
sed -i \
-e 's:"${2}"/shlibsign:shlibsign:' \
cmd/shlibsign/sign.sh || die
fi
# dirty hack
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die
multilib_copy_sources
strip-flags
}
multilib_src_configure() {
# Ensure we stay multilib aware
sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
}
nssarch() {
# Most of the arches are the same as $ARCH
local t=${1:-${CHOST}}
case ${t} in
*86*-pc-solaris2*) echo "i86pc" ;;
aarch64*) echo "aarch64" ;;
hppa*) echo "parisc" ;;
i?86*) echo "i686" ;;
x86_64*) echo "x86_64" ;;
*) tc-arch ${t} ;;
esac
}
nssbits() {
local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
if [[ ${1} == BUILD_ ]]; then
cc=$(tc-getBUILD_CC)
else
cc=$(tc-getCC)
fi
# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
echo > "${T}"/test.c || die
${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
case $(file -S "${T}/${1}test.o") in
*32-bit*x86-64*) echo USE_X32=1;;
*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
esac
}
multilib_src_compile() {
# use ABI to determine bit'ness, or fallback if unset
local buildbits mybits
case "${ABI}" in
n32) mybits="USE_N32=1";;
x32) mybits="USE_X32=1";;
s390x|*64) mybits="USE_64=1";;
${DEFAULT_ABI})
einfo "Running compilation test to determine bit'ness"
mybits=$(nssbits)
;;
esac
# bitness of host may differ from target
if tc-is-cross-compiler; then
buildbits=$(nssbits BUILD_)
fi
local makeargs=(
CC="$(tc-getCC)"
CCC="$(tc-getCXX)"
AR="$(tc-getAR) rc \$@"
RANLIB="$(tc-getRANLIB)"
OPTIMIZER=
${mybits}
disable_ckbi=0
)
# Take care of nspr settings #436216
local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags) -D_FILE_OFFSET_BITS=64"
unset NSPR_INCLUDE_DIR
export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_ENABLE_WERROR=0 #567158
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSS_SEED_ONLY_DEV_URANDOM=1
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS=-lz
export ASFLAGS=""
# Fix build failure on arm64
export NS_USE_GCC=1
# Detect compiler type and set proper environment value
if tc-is-gcc; then
export CC_IS_GCC=1
elif tc-is-clang; then
export CC_IS_CLANG=1
fi
export NSS_DISABLE_GTESTS=$(usex !test 1 0)
# Include exportable custom settings defined by users, #900915
# Two examples uses:
# EXTRA_NSSCONF="MYONESWITCH=1"
# EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
# e.g.
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
# or
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
# etc.
if [[ -n "${EXTRA_NSSCONF}" ]]; then
ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
read -a myextranssconf <<< "${EXTRA_NSSCONF}"
for (( i=0; i<${#myextranssconf[@]}; i++ )); do
export "${myextranssconf[$i]}"
echo "exported ${myextranssconf[$i]}"
done
fi
# explicitly disable altivec/vsx if not requested
# https://bugs.gentoo.org/789114
case ${ARCH} in
ppc*)
use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
;;
esac
use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
local d
# Build the host tools first.
LDFLAGS="${BUILD_LDFLAGS}" \
XCFLAGS="${BUILD_CFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -C coreconf \
CC="$(tc-getBUILD_CC)" \
${buildbits-${mybits}}
makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
# Then build the target tools.
for d in . lib/dbm ; do
CPPFLAGS="${myCPPFLAGS}" \
XCFLAGS="${CFLAGS} ${CPPFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
done
}
multilib_src_test() {
einfo "Tests can take a *long* time, especially on a multilib system."
einfo "30-45+ minutes per lib configuration. Bug #852755"
# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
# per lib implementation.
export NSS_CYCLES=standard
NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
cd "${BUILD_DIR}"/tests || die
# Hack to get current objdir (prefixed dir where built binaries are)
# Without this, at least multilib tests go wrong when building the amd64 variant
# after x86.
local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
# Can tweak to a subset of tests in future if we need to, but would prefer not
OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
}
# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}
cleanup_chk() {
local libdir="$1"
shift 1
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}
multilib_src_install() {
pushd dist >/dev/null || die
dodir /usr/$(get_libdir)
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
local i
for i in crmf freebl nssb nssckfw ; do
cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
done
# Install nss-config and pkgconfig file
dodir /usr/bin
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
# bug 517266
sed -e 's#Libs:#Libs: -lfreebl#' \
-e 's#Cflags:#Cflags: -I${includedir}/private#' \
*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
|| die "could not create nss-softokn.pc"
# all the include files
insinto /usr/include/nss
doins public/nss/*.{h,api}
insinto /usr/include/nss/private
doins private/nss/{blapi,alghmac,cmac}.h
popd >/dev/null || die
local f nssutils
# Always enabled because we need it for chk generation.
nssutils=( shlibsign )
if multilib_is_native_abi ; then
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
# checkcert utils has been removed in nss-3.22:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
# https://hg.mozilla.org/projects/nss/rev/df1729d37870
# certcgi has been removed in nss-3.36:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
nssutils+=(
addbuiltin
atob
baddbdir
btoa
certutil
cmsutil
conflict
crlutil
derdump
digest
makepqg
mangle
modutil
multinit
nonspr10
ocspclnt
oidcalc
p7content
p7env
p7sign
p7verify
pk11mode
pk12util
pp
rsaperf
selfserv
signtool
signver
ssltap
strsclnt
symkeyutil
tstclnt
vfychain
vfyserv
)
# install man-pages for utils (bug #516810)
doman doc/nroff/*.1
fi
pushd dist/*/bin >/dev/null || die
for f in ${nssutils[@]}; do
dobin ${f}
done
popd >/dev/null || die
fi
}
pkg_postinst() {
if [[ -n "${ROOT}" ]]; then
elog "You appear to to be installing in a seperate \$ROOT"
elog "to complete the setup and re-sign libraries please run:"
elog "emerge --config '=${CATEGORY}/${PF}'"
else
sign_libraries
fi
}
pkg_config() {
sign_libraries
}
sign_libraries() {
multilib_pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
local shlibsign="${EROOT}/usr/bin/shlibsign"
# See if we can execute it (cross-compiling & such). #436216
"${shlibsign}" -h >&/dev/null
if [[ $? -gt 1 ]] ; then
shlibsign="shlibsign"
fi
generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postinst
}
pkg_postrm() {
multilib_pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postrm
}

448
dev-libs/nss/nss-3.112.ebuild
View File

@ -1,448 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit dot-a flag-o-matic multilib toolchain-funcs multilib-minimal
NSPR_VER="4.35"
RTM_NAME="NSS_${PV//./_}_RTM"
DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
cacert? ( https://dev.gentoo.org/~juippis/mozilla/patchsets/nss-3.104-cacert-class1-class3.patch )"
LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris"
IUSE="cacert test test-full +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
REQUIRED_USE="test-full? ( test )"
PROPERTIES="test_network"
RESTRICT="test"
# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
RDEPEND="
>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
virtual/pkgconfig
"
DEPEND="${RDEPEND}"
BDEPEND="dev-lang/perl"
S="${WORKDIR}/${P}/${PN}"
MULTILIB_CHOST_TOOLS=(
/usr/bin/nss-config
)
PATCHES=(
"${FILESDIR}"/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
"${FILESDIR}"/nss-3.21-gentoo-fixup-warnings.patch
"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
)
src_prepare() {
default
if use cacert ; then
eapply -p2 "${DISTDIR}"/nss-3.104-cacert-class1-class3.patch
fi
pushd coreconf >/dev/null || die
# hack nspr paths
echo 'INCLUDES += -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"
# modify install path
sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
popd >/dev/null || die
# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
config/Makefile || die
# use host shlibsign if need be #436216
if tc-is-cross-compiler ; then
sed -i \
-e 's:"${2}"/shlibsign:shlibsign:' \
cmd/shlibsign/sign.sh || die
fi
# dirty hack
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die
multilib_copy_sources
lto-guarantee-fat
strip-flags
}
multilib_src_configure() {
# Ensure we stay multilib aware
sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
}
nssarch() {
# Most of the arches are the same as $ARCH
local t=${1:-${CHOST}}
case ${t} in
*86*-pc-solaris2*) echo "i86pc" ;;
aarch64*) echo "aarch64" ;;
hppa*) echo "parisc" ;;
i?86*) echo "i686" ;;
x86_64*) echo "x86_64" ;;
*) tc-arch ${t} ;;
esac
}
nssbits() {
local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
if [[ ${1} == BUILD_ ]]; then
cc=$(tc-getBUILD_CC)
else
cc=$(tc-getCC)
fi
# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
echo > "${T}"/test.c || die
${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
case $(file -S "${T}/${1}test.o") in
*32-bit*x86-64*) echo USE_X32=1;;
*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
esac
}
multilib_src_compile() {
# use ABI to determine bit'ness, or fallback if unset
local buildbits mybits
case "${ABI}" in
n32) mybits="USE_N32=1";;
x32) mybits="USE_X32=1";;
s390x|*64) mybits="USE_64=1";;
${DEFAULT_ABI})
einfo "Running compilation test to determine bit'ness"
mybits=$(nssbits)
;;
esac
# bitness of host may differ from target
if tc-is-cross-compiler; then
buildbits=$(nssbits BUILD_)
fi
local makeargs=(
CC="$(tc-getCC)"
CCC="$(tc-getCXX)"
AR="$(tc-getAR) rc \$@"
RANLIB="$(tc-getRANLIB)"
OPTIMIZER=
${mybits}
disable_ckbi=0
)
# Take care of nspr settings #436216
local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags) -D_FILE_OFFSET_BITS=64"
unset NSPR_INCLUDE_DIR
export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_ENABLE_WERROR=0 #567158
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSS_SEED_ONLY_DEV_URANDOM=1
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS=-lz
export ASFLAGS=""
# Fix build failure on arm64
export NS_USE_GCC=1
# Detect compiler type and set proper environment value
if tc-is-gcc; then
export CC_IS_GCC=1
elif tc-is-clang; then
export CC_IS_CLANG=1
fi
export NSS_DISABLE_GTESTS=$(usex !test 1 0)
# Include exportable custom settings defined by users, #900915
# Two examples uses:
# EXTRA_NSSCONF="MYONESWITCH=1"
# EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
# e.g.
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
# or
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
# etc.
if [[ -n "${EXTRA_NSSCONF}" ]]; then
ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
read -a myextranssconf <<< "${EXTRA_NSSCONF}"
for (( i=0; i<${#myextranssconf[@]}; i++ )); do
export "${myextranssconf[$i]}"
echo "exported ${myextranssconf[$i]}"
done
fi
# explicitly disable altivec/vsx if not requested
# https://bugs.gentoo.org/789114
case ${ARCH} in
ppc*)
use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
;;
esac
use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
local d
# Disables calling shlibsign during the build #956431 and #436216
tc-is-cross-compiler && makeargs+=( CROSS_COMPILE=1 )
# Build the host tools first.
LDFLAGS="${BUILD_LDFLAGS}" \
XCFLAGS="${BUILD_CFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -C coreconf \
CC="$(tc-getBUILD_CC)" \
${buildbits-${mybits}}
makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
# Then build the target tools.
for d in . lib/dbm ; do
CPPFLAGS="${myCPPFLAGS}" \
XCFLAGS="${CFLAGS} ${CPPFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
done
}
multilib_src_test() {
einfo "Tests can take a *long* time, especially on a multilib system."
einfo "~10 minutes per lib configuration with only 'standard' tests,"
einfo "~40 minutes per lib configuration with 'full' tests. Bug #852755"
# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
# per lib implementation.
if use test-full ; then
# export NSS_CYCLES="standard pkix sharedb"
:;
else
export NSS_CYCLES="standard"
fi
NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
cd "${BUILD_DIR}"/tests || die
# Hack to get current objdir (prefixed dir where built binaries are)
# Without this, at least multilib tests go wrong when building the amd64 variant
# after x86.
local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
# Can tweak to a subset of tests in future if we need to, but would prefer not
OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
}
# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}
cleanup_chk() {
local libdir="$1"
shift 1
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}
multilib_src_install() {
pushd dist >/dev/null || die
dodir /usr/$(get_libdir)
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
local i
for i in crmf freebl nssb nssckfw ; do
cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
done
# Install nss-config and pkgconfig file
dodir /usr/bin
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
# bug 517266
sed -e 's#Libs:#Libs: -lfreebl#' \
-e 's#Cflags:#Cflags: -I${includedir}/private#' \
*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
|| die "could not create nss-softokn.pc"
# all the include files
insinto /usr/include/nss
doins public/nss/*.{h,api}
insinto /usr/include/nss/private
doins private/nss/{blapi,alghmac,cmac}.h
popd >/dev/null || die
local f nssutils
# Always enabled because we need it for chk generation.
nssutils=( shlibsign )
if multilib_is_native_abi ; then
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
# checkcert utils has been removed in nss-3.22:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
# https://hg.mozilla.org/projects/nss/rev/df1729d37870
# certcgi has been removed in nss-3.36:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
nssutils+=(
addbuiltin
atob
baddbdir
btoa
certutil
cmsutil
conflict
crlutil
derdump
digest
makepqg
mangle
modutil
multinit
nonspr10
ocspclnt
oidcalc
p7content
p7env
p7sign
p7verify
pk11mode
pk12util
pp
rsaperf
selfserv
signtool
signver
ssltap
strsclnt
symkeyutil
tstclnt
vfychain
vfyserv
)
# install man-pages for utils (bug #516810)
doman doc/nroff/*.1
fi
pushd dist/*/bin >/dev/null || die
for f in ${nssutils[@]}; do
dobin ${f}
done
popd >/dev/null || die
fi
strip-lto-bytecode
}
pkg_postinst() {
if [[ -n "${ROOT}" ]]; then
elog "You appear to to be installing in a seperate \$ROOT"
elog "to complete the setup and re-sign libraries please run:"
elog "emerge --config '=${CATEGORY}/${PF}'"
else
sign_libraries
fi
}
pkg_config() {
sign_libraries
}
sign_libraries() {
multilib_pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
local shlibsign="${EROOT}/usr/bin/shlibsign"
# See if we can execute it (cross-compiling & such). #436216
"${shlibsign}" -h >&/dev/null
if [[ $? -gt 1 ]] ; then
shlibsign="shlibsign"
fi
generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postinst
}
pkg_postrm() {
multilib_pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postrm
}

448
dev-libs/nss/nss-3.113.1.ebuild
View File

@ -1,448 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit dot-a flag-o-matic multilib toolchain-funcs multilib-minimal
NSPR_VER="4.35"
RTM_NAME="NSS_${PV//./_}_RTM"
DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
cacert? ( https://dev.gentoo.org/~juippis/mozilla/patchsets/nss-3.104-cacert-class1-class3.patch )"
LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris"
IUSE="cacert test test-full +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
REQUIRED_USE="test-full? ( test )"
PROPERTIES="test_network"
RESTRICT="test"
# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
RDEPEND="
>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
virtual/pkgconfig
"
DEPEND="${RDEPEND}"
BDEPEND="dev-lang/perl"
S="${WORKDIR}/${P}/${PN}"
MULTILIB_CHOST_TOOLS=(
/usr/bin/nss-config
)
PATCHES=(
"${FILESDIR}"/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
"${FILESDIR}"/nss-3.21-gentoo-fixup-warnings.patch
"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
)
src_prepare() {
default
if use cacert ; then
eapply -p2 "${DISTDIR}"/nss-3.104-cacert-class1-class3.patch
fi
pushd coreconf >/dev/null || die
# hack nspr paths
echo 'INCLUDES += -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"
# modify install path
sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
popd >/dev/null || die
# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
config/Makefile || die
# use host shlibsign if need be #436216
if tc-is-cross-compiler ; then
sed -i \
-e 's:"${2}"/shlibsign:shlibsign:' \
cmd/shlibsign/sign.sh || die
fi
# dirty hack
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die
multilib_copy_sources
lto-guarantee-fat
strip-flags
}
multilib_src_configure() {
# Ensure we stay multilib aware
sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
}
nssarch() {
# Most of the arches are the same as $ARCH
local t=${1:-${CHOST}}
case ${t} in
*86*-pc-solaris2*) echo "i86pc" ;;
aarch64*) echo "aarch64" ;;
hppa*) echo "parisc" ;;
i?86*) echo "i686" ;;
x86_64*) echo "x86_64" ;;
*) tc-arch ${t} ;;
esac
}
nssbits() {
local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
if [[ ${1} == BUILD_ ]]; then
cc=$(tc-getBUILD_CC)
else
cc=$(tc-getCC)
fi
# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
echo > "${T}"/test.c || die
${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
case $(file -S "${T}/${1}test.o") in
*32-bit*x86-64*) echo USE_X32=1;;
*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
esac
}
multilib_src_compile() {
# use ABI to determine bit'ness, or fallback if unset
local buildbits mybits
case "${ABI}" in
n32) mybits="USE_N32=1";;
x32) mybits="USE_X32=1";;
s390x|*64) mybits="USE_64=1";;
${DEFAULT_ABI})
einfo "Running compilation test to determine bit'ness"
mybits=$(nssbits)
;;
esac
# bitness of host may differ from target
if tc-is-cross-compiler; then
buildbits=$(nssbits BUILD_)
fi
local makeargs=(
CC="$(tc-getCC)"
CCC="$(tc-getCXX)"
AR="$(tc-getAR) rc \$@"
RANLIB="$(tc-getRANLIB)"
OPTIMIZER=
${mybits}
disable_ckbi=0
)
# Take care of nspr settings #436216
local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags) -D_FILE_OFFSET_BITS=64"
unset NSPR_INCLUDE_DIR
export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_ENABLE_WERROR=0 #567158
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSS_SEED_ONLY_DEV_URANDOM=1
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS=-lz
export ASFLAGS=""
# Fix build failure on arm64
export NS_USE_GCC=1
# Detect compiler type and set proper environment value
if tc-is-gcc; then
export CC_IS_GCC=1
elif tc-is-clang; then
export CC_IS_CLANG=1
fi
export NSS_DISABLE_GTESTS=$(usex !test 1 0)
# Include exportable custom settings defined by users, #900915
# Two examples uses:
# EXTRA_NSSCONF="MYONESWITCH=1"
# EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
# e.g.
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
# or
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
# etc.
if [[ -n "${EXTRA_NSSCONF}" ]]; then
ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
read -a myextranssconf <<< "${EXTRA_NSSCONF}"
for (( i=0; i<${#myextranssconf[@]}; i++ )); do
export "${myextranssconf[$i]}"
echo "exported ${myextranssconf[$i]}"
done
fi
# explicitly disable altivec/vsx if not requested
# https://bugs.gentoo.org/789114
case ${ARCH} in
ppc*)
use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
;;
esac
use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
local d
# Disables calling shlibsign during the build #956431 and #436216
tc-is-cross-compiler && makeargs+=( CROSS_COMPILE=1 )
# Build the host tools first.
LDFLAGS="${BUILD_LDFLAGS}" \
XCFLAGS="${BUILD_CFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -C coreconf \
CC="$(tc-getBUILD_CC)" \
${buildbits-${mybits}}
makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
# Then build the target tools.
for d in . lib/dbm ; do
CPPFLAGS="${myCPPFLAGS}" \
XCFLAGS="${CFLAGS} ${CPPFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
done
}
multilib_src_test() {
einfo "Tests can take a *long* time, especially on a multilib system."
einfo "~10 minutes per lib configuration with only 'standard' tests,"
einfo "~40 minutes per lib configuration with 'full' tests. Bug #852755"
# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
# per lib implementation.
if use test-full ; then
# export NSS_CYCLES="standard pkix sharedb"
:;
else
export NSS_CYCLES="standard"
fi
NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
cd "${BUILD_DIR}"/tests || die
# Hack to get current objdir (prefixed dir where built binaries are)
# Without this, at least multilib tests go wrong when building the amd64 variant
# after x86.
local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
# Can tweak to a subset of tests in future if we need to, but would prefer not
OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
}
# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}
cleanup_chk() {
local libdir="$1"
shift 1
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}
multilib_src_install() {
pushd dist >/dev/null || die
dodir /usr/$(get_libdir)
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
local i
for i in crmf freebl nssb nssckfw ; do
cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
done
# Install nss-config and pkgconfig file
dodir /usr/bin
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
# bug 517266
sed -e 's#Libs:#Libs: -lfreebl#' \
-e 's#Cflags:#Cflags: -I${includedir}/private#' \
*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
|| die "could not create nss-softokn.pc"
# all the include files
insinto /usr/include/nss
doins public/nss/*.{h,api}
insinto /usr/include/nss/private
doins private/nss/{blapi,alghmac,cmac}.h
popd >/dev/null || die
local f nssutils
# Always enabled because we need it for chk generation.
nssutils=( shlibsign )
if multilib_is_native_abi ; then
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
# checkcert utils has been removed in nss-3.22:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
# https://hg.mozilla.org/projects/nss/rev/df1729d37870
# certcgi has been removed in nss-3.36:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
nssutils+=(
addbuiltin
atob
baddbdir
btoa
certutil
cmsutil
conflict
crlutil
derdump
digest
makepqg
mangle
modutil
multinit
nonspr10
ocspclnt
oidcalc
p7content
p7env
p7sign
p7verify
pk11mode
pk12util
pp
rsaperf
selfserv
signtool
signver
ssltap
strsclnt
symkeyutil
tstclnt
vfychain
vfyserv
)
# install man-pages for utils (bug #516810)
doman doc/nroff/*.1
fi
pushd dist/*/bin >/dev/null || die
for f in ${nssutils[@]}; do
dobin ${f}
done
popd >/dev/null || die
fi
strip-lto-bytecode
}
pkg_postinst() {
if [[ -n "${ROOT}" ]]; then
elog "You appear to to be installing in a seperate \$ROOT"
elog "to complete the setup and re-sign libraries please run:"
elog "emerge --config '=${CATEGORY}/${PF}'"
else
sign_libraries
fi
}
pkg_config() {
sign_libraries
}
sign_libraries() {
multilib_pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
local shlibsign="${EROOT}/usr/bin/shlibsign"
# See if we can execute it (cross-compiling & such). #436216
"${shlibsign}" -h >&/dev/null
if [[ $? -gt 1 ]] ; then
shlibsign="shlibsign"
fi
generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postinst
}
pkg_postrm() {
multilib_pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postrm
}

448
dev-libs/nss/nss-3.113.ebuild
View File

@ -1,448 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit dot-a flag-o-matic multilib toolchain-funcs multilib-minimal
NSPR_VER="4.35"
RTM_NAME="NSS_${PV//./_}_RTM"
DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
cacert? ( https://dev.gentoo.org/~juippis/mozilla/patchsets/nss-3.104-cacert-class1-class3.patch )"
LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris"
IUSE="cacert test test-full +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
REQUIRED_USE="test-full? ( test )"
PROPERTIES="test_network"
RESTRICT="test"
# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
RDEPEND="
>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
virtual/pkgconfig
"
DEPEND="${RDEPEND}"
BDEPEND="dev-lang/perl"
S="${WORKDIR}/${P}/${PN}"
MULTILIB_CHOST_TOOLS=(
/usr/bin/nss-config
)
PATCHES=(
"${FILESDIR}"/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
"${FILESDIR}"/nss-3.21-gentoo-fixup-warnings.patch
"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
)
src_prepare() {
default
if use cacert ; then
eapply -p2 "${DISTDIR}"/nss-3.104-cacert-class1-class3.patch
fi
pushd coreconf >/dev/null || die
# hack nspr paths
echo 'INCLUDES += -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"
# modify install path
sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
popd >/dev/null || die
# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
config/Makefile || die
# use host shlibsign if need be #436216
if tc-is-cross-compiler ; then
sed -i \
-e 's:"${2}"/shlibsign:shlibsign:' \
cmd/shlibsign/sign.sh || die
fi
# dirty hack
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die
multilib_copy_sources
lto-guarantee-fat
strip-flags
}
multilib_src_configure() {
# Ensure we stay multilib aware
sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
}
nssarch() {
# Most of the arches are the same as $ARCH
local t=${1:-${CHOST}}
case ${t} in
*86*-pc-solaris2*) echo "i86pc" ;;
aarch64*) echo "aarch64" ;;
hppa*) echo "parisc" ;;
i?86*) echo "i686" ;;
x86_64*) echo "x86_64" ;;
*) tc-arch ${t} ;;
esac
}
nssbits() {
local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
if [[ ${1} == BUILD_ ]]; then
cc=$(tc-getBUILD_CC)
else
cc=$(tc-getCC)
fi
# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
echo > "${T}"/test.c || die
${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
case $(file -S "${T}/${1}test.o") in
*32-bit*x86-64*) echo USE_X32=1;;
*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
esac
}
multilib_src_compile() {
# use ABI to determine bit'ness, or fallback if unset
local buildbits mybits
case "${ABI}" in
n32) mybits="USE_N32=1";;
x32) mybits="USE_X32=1";;
s390x|*64) mybits="USE_64=1";;
${DEFAULT_ABI})
einfo "Running compilation test to determine bit'ness"
mybits=$(nssbits)
;;
esac
# bitness of host may differ from target
if tc-is-cross-compiler; then
buildbits=$(nssbits BUILD_)
fi
local makeargs=(
CC="$(tc-getCC)"
CCC="$(tc-getCXX)"
AR="$(tc-getAR) rc \$@"
RANLIB="$(tc-getRANLIB)"
OPTIMIZER=
${mybits}
disable_ckbi=0
)
# Take care of nspr settings #436216
local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags) -D_FILE_OFFSET_BITS=64"
unset NSPR_INCLUDE_DIR
export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_ENABLE_WERROR=0 #567158
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSS_SEED_ONLY_DEV_URANDOM=1
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS=-lz
export ASFLAGS=""
# Fix build failure on arm64
export NS_USE_GCC=1
# Detect compiler type and set proper environment value
if tc-is-gcc; then
export CC_IS_GCC=1
elif tc-is-clang; then
export CC_IS_CLANG=1
fi
export NSS_DISABLE_GTESTS=$(usex !test 1 0)
# Include exportable custom settings defined by users, #900915
# Two examples uses:
# EXTRA_NSSCONF="MYONESWITCH=1"
# EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
# e.g.
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
# or
# EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
# etc.
if [[ -n "${EXTRA_NSSCONF}" ]]; then
ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
read -a myextranssconf <<< "${EXTRA_NSSCONF}"
for (( i=0; i<${#myextranssconf[@]}; i++ )); do
export "${myextranssconf[$i]}"
echo "exported ${myextranssconf[$i]}"
done
fi
# explicitly disable altivec/vsx if not requested
# https://bugs.gentoo.org/789114
case ${ARCH} in
ppc*)
use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
;;
esac
use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
local d
# Disables calling shlibsign during the build #956431 and #436216
tc-is-cross-compiler && makeargs+=( CROSS_COMPILE=1 )
# Build the host tools first.
LDFLAGS="${BUILD_LDFLAGS}" \
XCFLAGS="${BUILD_CFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake -C coreconf \
CC="$(tc-getBUILD_CC)" \
${buildbits-${mybits}}
makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
# Then build the target tools.
for d in . lib/dbm ; do
CPPFLAGS="${myCPPFLAGS}" \
XCFLAGS="${CFLAGS} ${CPPFLAGS} -D_FILE_OFFSET_BITS=64" \
NSPR_LIB_DIR="${T}/fakedir" \
emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
done
}
multilib_src_test() {
einfo "Tests can take a *long* time, especially on a multilib system."
einfo "~10 minutes per lib configuration with only 'standard' tests,"
einfo "~40 minutes per lib configuration with 'full' tests. Bug #852755"
# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
# per lib implementation.
if use test-full ; then
# export NSS_CYCLES="standard pkix sharedb"
:;
else
export NSS_CYCLES="standard"
fi
NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
cd "${BUILD_DIR}"/tests || die
# Hack to get current objdir (prefixed dir where built binaries are)
# Without this, at least multilib tests go wrong when building the amd64 variant
# after x86.
local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
# Can tweak to a subset of tests in future if we need to, but would prefer not
OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
}
# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}
cleanup_chk() {
local libdir="$1"
shift 1
local i
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}
multilib_src_install() {
pushd dist >/dev/null || die
dodir /usr/$(get_libdir)
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
local i
for i in crmf freebl nssb nssckfw ; do
cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
done
# Install nss-config and pkgconfig file
dodir /usr/bin
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
# bug 517266
sed -e 's#Libs:#Libs: -lfreebl#' \
-e 's#Cflags:#Cflags: -I${includedir}/private#' \
*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
|| die "could not create nss-softokn.pc"
# all the include files
insinto /usr/include/nss
doins public/nss/*.{h,api}
insinto /usr/include/nss/private
doins private/nss/{blapi,alghmac,cmac}.h
popd >/dev/null || die
local f nssutils
# Always enabled because we need it for chk generation.
nssutils=( shlibsign )
if multilib_is_native_abi ; then
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
# checkcert utils has been removed in nss-3.22:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
# https://hg.mozilla.org/projects/nss/rev/df1729d37870
# certcgi has been removed in nss-3.36:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
nssutils+=(
addbuiltin
atob
baddbdir
btoa
certutil
cmsutil
conflict
crlutil
derdump
digest
makepqg
mangle
modutil
multinit
nonspr10
ocspclnt
oidcalc
p7content
p7env
p7sign
p7verify
pk11mode
pk12util
pp
rsaperf
selfserv
signtool
signver
ssltap
strsclnt
symkeyutil
tstclnt
vfychain
vfyserv
)
# install man-pages for utils (bug #516810)
doman doc/nroff/*.1
fi
pushd dist/*/bin >/dev/null || die
for f in ${nssutils[@]}; do
dobin ${f}
done
popd >/dev/null || die
fi
strip-lto-bytecode
}
pkg_postinst() {
if [[ -n "${ROOT}" ]]; then
elog "You appear to to be installing in a seperate \$ROOT"
elog "to complete the setup and re-sign libraries please run:"
elog "emerge --config '=${CATEGORY}/${PF}'"
else
sign_libraries
fi
}
pkg_config() {
sign_libraries
}
sign_libraries() {
multilib_pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
local shlibsign="${EROOT}/usr/bin/shlibsign"
# See if we can execute it (cross-compiling & such). #436216
"${shlibsign}" -h >&/dev/null
if [[ $? -gt 1 ]] ; then
shlibsign="shlibsign"
fi
generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postinst
}
pkg_postrm() {
multilib_pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}
multilib_foreach_abi multilib_pkg_postrm
}