blob: 13a0021806493fd6cb83d2c2b5eb65ced9373760 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.1 2013/01/09 23:07:36 anarchy Exp $
EAPI=3
inherit eutils flag-o-matic multilib toolchain-funcs
NSPR_VER="4.9.2"
RTM_NAME="NSS_${PV//./_}_RTM"
DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch
http://dev.gentoo.org/~anarchy/patches/${PN}-3.13.3_pem.support"
LICENSE="MPL-2.0 GPL-2 LGPL-2.1"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
IUSE="utils"
DEPEND="virtual/pkgconfig
>=dev-libs/nspr-${NSPR_VER}"
RDEPEND=">=dev-libs/nspr-${NSPR_VER}
>=dev-db/sqlite-3.5
sys-libs/zlib"
src_setup() {
export LC_ALL="C"
}
src_prepare() {
# Custom changes for gentoo
epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups.patch"
epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch"
epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
epatch "${DISTDIR}/${PN}-3.13.3_pem.support"
epatch "${FILESDIR}/${PN}-3.13.5-x32.patch"
cd "${S}"/mozilla/security/coreconf || die
# hack nspr paths
echo 'INCLUDES += -I'"${EPREFIX}"'/usr/include/nspr -I$(DIST)/include/dbm' \
>> headers.mk || die "failed to append include"
# modify install path
sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-i source.mk || die
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk || die
# Ensure we stay multilib aware
sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib"
# Fix pkgconfig file for Prefix
sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
"${S}"/mozilla/security/nss/config/Makefile || die
epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch"
# dirty hack
cd "${S}"/mozilla/security/nss || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
lib/ssl/config.mk || die
sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
cmd/platlibs.mk || die
}
src_compile() {
strip-flags
echo > "${T}"/test.c || die
$(tc-getCC) ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o || die
case $(file "${T}"/test.o) in
*32-bit*x86-64*) export USE_x32=1;;
*64-bit*|*ppc64*|*x86_64*) export USE_64=1;;
*32-bit*|*ppc*|*i386*) ;;
*) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";;
esac
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
export NSPR_LIB_DIR=`nspr-config --libdir`
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSDISTMODE=copy
export NSS_ENABLE_ECC=1
export XCFLAGS="${CFLAGS}"
export FREEBL_NO_DEPEND=1
export ASFLAGS=""
cd "${S}"/mozilla/security/coreconf || die
emake -j1 CC="$(tc-getCC)" || die "coreconf make failed"
cd "${S}"/mozilla/security/dbm || die
emake -j1 CC="$(tc-getCC)" || die "dbm make failed"
cd "${S}"/mozilla/security/nss || die
emake -j1 CC="$(tc-getCC)" || die "nss make failed"
}
# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
# */${local_libdir}/libfreebl3.so*
# */${local_libdir}/libnssdbm3.so*
# */${local_libdir}/libsoftokn3.so*"
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
generate_chk() {
local shlibsign="$1"
local libdir="$2"
einfo "Resigning core NSS libraries for FIPS validation"
shift 2
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libname=lib${i}.so
local chkname=lib${i}.chk
"${shlibsign}" \
-i "${libdir}"/${libname} \
-o "${libdir}"/${chkname}.tmp \
&& mv -f \
"${libdir}"/${chkname}.tmp \
"${libdir}"/${chkname} \
|| die "Failed to sign ${libname}"
done
}
cleanup_chk() {
local libdir="$1"
shift 1
for i in ${NSS_CHK_SIGN_LIBS} ; do
local libfname="${libdir}/lib${i}.so"
# If the major version has changed, then we have old chk files.
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
&& rm -f "${libfname}.chk"
done
}
src_install () {
MINOR_VERSION=12
cd "${S}"/mozilla/security/dist || die
dodir /usr/$(get_libdir) || die
cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
# We generate these after stripping the libraries, else they don't match.
#cp -L */lib/*.chk "${ED}"/usr/$(get_libdir) || die "copying chk files failed"
cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
# Install nss-config and pkgconfig file
dodir /usr/bin || die
cp -L */bin/nss-config "${ED}"/usr/bin || die
dodir /usr/$(get_libdir)/pkgconfig || die
cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
# all the include files
insinto /usr/include/nss
doins public/nss/*.h || die
cd "${ED}"/usr/$(get_libdir) || die
local n=
for file in *$(get_libname); do
n=${file%$(get_libname)}$(get_libname ${MINOR_VERSION})
mv ${file} ${n} || die
ln -s ${n} ${file} || die
if [[ ${CHOST} == *-darwin* ]]; then
install_name_tool -id "${EPREFIX}/usr/$(get_libdir)/${n}" ${n} || die
fi
done
local nssutils
# Always enabled because we need it for chk generation.
nssutils="shlibsign"
if use utils; then
# The tests we do not need to install.
#nssutils_test="bltest crmftest dbtest dertimetest
#fipstest remtest sdrtest"
nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
symkeyutil tstclnt vfychain vfyserv"
fi
cd "${S}"/mozilla/security/dist/*/bin/ || die
for f in $nssutils; do
dobin ${f} || die
done
# Prelink breaks the CHK files. We don't have any reliable way to run
# shlibsign after prelink.
declare -a libs
for l in ${NSS_CHK_SIGN_LIBS} ; do
libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
done
OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}"
echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" || die
unset libs liblist
doenvd "${T}/90nss" || die
}
pkg_postinst() {
# We must re-sign the libraries AFTER they are stripped.
generate_chk "${EROOT}"/usr/bin/shlibsign "${EROOT}"/usr/$(get_libdir)
}
pkg_postrm() {
cleanup_chk "${EROOT}"/usr/$(get_libdir)
}
|