commit: d91f6e62fceae8b6604a41480ca7a7f7a61cbedc
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 7 20:54:26 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Jun 7 20:56:56 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d91f6e62
dev-libs/nss: Bump to version 3.24
Package-Manager: portage-2.2.28
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
dev-libs/nss/Manifest | 1 +
dev-libs/nss/nss-3.24.ebuild | 340 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 341 insertions(+)
diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 0deec36..8dc1398 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -4,5 +4,6 @@ DIST nss-3.20.tar.gz 6955552 SHA256
5e38d4b9837ca338af966b97fc91c07f67ad647fb38d
DIST nss-3.21.tar.gz 6978112 SHA256
3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239 SHA512
0645465b5d1ab05d819355a3f4a2879499539a00d95bfab3ca14a7dcd901e510b5d9ae797386ff5a42f68b0b57f7bbec4ec9d3a85ebd508eb824aba1fb589d53
WHIRLPOOL
7504d83de606d61840e06cb855ea688eb022d5eef062bcb7ac4d1064db96b96e35ae4ce0aff9d389a2140a7c3b974aaa9a86ada52af1199d462fdb48b11b42e4
DIST nss-3.22.2.tar.gz 6982164 SHA256
07d49287c527ac31200f02dcf8494cef19e936d8ed470802749c4dfc782d3650 SHA512
0c73ba579cb697fe295bca2ee62315bc1830b542f607c1ecfbf591fa881d2ccfb5a6d830b47cd1434bdfbac07e03848b4fe9e6bda9c6d131a2c34973dc3b337c
WHIRLPOOL
37137526ffc6f583ba54615c5fadb1076a5c0830b8aef6db394fb1da02345d5b1cf394b6a3cac7b8ce5727bf23ed1053f3f0f2865f0eab7c922c8459d5768142
DIST nss-3.23.tar.gz 7467001 SHA256
94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf SHA512
f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32
WHIRLPOOL
77e22bd7a525c5b10723e1d5fb6db1e9d2efebfcdf9828aa79296f71c441c065201ecda56291f37790333d9b1d1e38fef1391a033382a885b83da31a646d6243
+DIST nss-3.24.tar.gz 7307782 SHA256
2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed SHA512
9cf6d5dcbe8292bce53e043cf2713e55f01f979827c6f5f39a22ea8d1f40a2579728454a12c30540e8fb06e8119640a539cc5c6913aa12d97008d68386abfe6e
WHIRLPOOL
49baf7a1847ffab1d549752854e999a56fd6cf52cf920310199aa95078af5c7894eb61a226cf3170cf93bffa525a674fac512a586f67ccafae91a952052e9800
DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256
50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512
0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501
WHIRLPOOL
279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
DIST nss-pem-20140125.tar.bz2 28805 SHA256
62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512
352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39
WHIRLPOOL
3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62
diff --git a/dev-libs/nss/nss-3.24.ebuild b/dev-libs/nss/nss-3.24.ebuild
new file mode 100644
index 0000000..8a72adc
--- /dev/null
+++ b/dev-libs/nss/nss-3.24.ebuild
@@ -0,0 +1,340 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.12"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
+PEM_P="${PN}-pem-20140125"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI
support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/";
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+ cacert? (
https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch
)
+ nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390
~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos
~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+ >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+ >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+ ${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+ ${CDEPEND}
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r12
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/nss-config
+)
+
+PATCHES=(
+ # Custom changes for gentoo
+ "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
+ "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+ "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+)
+
+src_unpack() {
+ unpack ${A}
+ if use nss-pem ; then
+ mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+ fi
+}
+
+src_prepare() {
+ if use nss-pem ; then
+ PATCHES+=(
+ "${FILESDIR}/${PN}-3.21-enable-pem.patch"
+ "${FILESDIR}/${PN}-3.21-pem-werror.patch"
+ )
+ fi
+
+ default
+
+ if use cacert ; then
+ eapply -p4
"${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
+ eapply "${FILESDIR}/${PN}-3.21-cacert-class3.patch"
#521462
+ fi
+
+ pushd coreconf >/dev/null || die
+ # hack nspr paths
+ echo 'INCLUDES += -I$(DIST)/include/dbm' \
+ >> headers.mk || die "failed to append include"
+
+ # modify install path
+ sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX =
$(CORE_DEPTH)/dist:' \
+ -i source.mk || die
+
+ # Respect LDFLAGS
+ sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+ popd >/dev/null || die
+
+ # Fix pkgconfig file for Prefix
+ sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+ config/Makefile || die
+
+ # use host shlibsign if need be #436216
+ if tc-is-cross-compiler ; then
+ sed -i \
+ -e 's:"${2}"/shlibsign:shlibsign:' \
+ cmd/shlibsign/sign.sh || die
+ fi
+
+ # dirty hack
+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+ lib/ssl/config.mk || die
+ sed -i -e
"/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+ cmd/platlibs.mk || die
+
+ multilib_copy_sources
+
+ strip-flags
+}
+
+multilib_src_configure() {
+ # Ensure we stay multilib aware
+ sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+ # Most of the arches are the same as $ARCH
+ local t=${1:-${CHOST}}
+ case ${t} in
+ aarch64*)echo "aarch64";;
+ hppa*) echo "parisc";;
+ i?86*) echo "i686";;
+ x86_64*) echo "x86_64";;
+ *) tc-arch ${t};;
+ esac
+}
+
+nssbits() {
+ local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+ if [[ ${1} == BUILD_ ]]; then
+ cc=$(tc-getBUILD_CC)
+ else
+ cc=$(tc-getCC)
+ fi
+ echo > "${T}"/test.c || die
+ ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" ||
die
+ case $(file "${T}/${1}test.o") in
+ *32-bit*x86-64*) echo USE_X32=1;;
+ *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+ *32-bit*|*ppc*|*i386*) ;;
+ *) die "Failed to detect whether ${cc} builds 64bits or 32bits,
disable distcc if you're using it, please";;
+ esac
+}
+
+multilib_src_compile() {
+ # use ABI to determine bit'ness, or fallback if unset
+ local buildbits mybits
+ case "${ABI}" in
+ n32) mybits="USE_N32=1";;
+ x32) mybits="USE_X32=1";;
+ s390x|*64) mybits="USE_64=1";;
+ ${DEFAULT_ABI})
+ einfo "Running compilation test to determine bit'ness"
+ mybits=$(nssbits)
+ ;;
+ esac
+ # bitness of host may differ from target
+ if tc-is-cross-compiler; then
+ buildbits=$(nssbits BUILD_)
+ fi
+
+ local makeargs=(
+ CC="$(tc-getCC)"
+ AR="$(tc-getAR) rc \$@"
+ RANLIB="$(tc-getRANLIB)"
+ OPTIMIZER=
+ ${mybits}
+ )
+
+ # Take care of nspr settings #436216
+ local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+ unset NSPR_INCLUDE_DIR
+
+ # Do not let `uname` be used.
+ if use kernel_linux ; then
+ makeargs+=(
+ OS_TARGET=Linux
+ OS_RELEASE=2.6
+ OS_TEST="$(nssarch)"
+ )
+ fi
+
+ export NSS_ENABLE_WERROR=0 #567158
+ export BUILD_OPT=1
+ export NSS_USE_SYSTEM_SQLITE=1
+ export NSDISTMODE=copy
+ export NSS_ENABLE_ECC=1
+ export FREEBL_NO_DEPEND=1
+ export ASFLAGS=""
+
+ local d
+
+ # Build the host tools first.
+ LDFLAGS="${BUILD_LDFLAGS}" \
+ XCFLAGS="${BUILD_CFLAGS}" \
+ NSPR_LIB_DIR="${T}/fakedir" \
+ emake -j1 -C coreconf \
+ CC="$(tc-getBUILD_CC)" \
+ ${buildbits:-${mybits}}
+ makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+ # Then build the target tools.
+ for d in . lib/dbm ; do
+ CPPFLAGS="${myCPPFLAGS}" \
+ XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+ NSPR_LIB_DIR="${T}/fakedir" \
+ emake -j1 "${makeargs[@]}" -C ${d}
+ done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+# */${local_libdir}/libfreebl3.so*
+# */${local_libdir}/libnssdbm3.so*
+# */${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+ local shlibsign="$1"
+ local libdir="$2"
+ einfo "Resigning core NSS libraries for FIPS validation"
+ shift 2
+ local i
+ for i in ${NSS_CHK_SIGN_LIBS} ; do
+ local libname=lib${i}.so
+ local chkname=lib${i}.chk
+ "${shlibsign}" \
+ -i "${libdir}"/${libname} \
+ -o "${libdir}"/${chkname}.tmp \
+ && mv -f \
+ "${libdir}"/${chkname}.tmp \
+ "${libdir}"/${chkname} \
+ || die "Failed to sign ${libname}"
+ done
+}
+
+cleanup_chk() {
+ local libdir="$1"
+ shift 1
+ local i
+ for i in ${NSS_CHK_SIGN_LIBS} ; do
+ local libfname="${libdir}/lib${i}.so"
+ # If the major version has changed, then we have old chk files.
+ [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+ && rm -f "${libfname}.chk"
+ done
+}
+
+multilib_src_install() {
+ pushd dist >/dev/null || die
+
+ dodir /usr/$(get_libdir)
+ cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying
shared libs failed"
+ cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs
failed"
+ cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs
failed"
+
+ # Install nss-config and pkgconfig file
+ dodir /usr/bin
+ cp -L */bin/nss-config "${ED}"/usr/bin || die
+ dodir /usr/$(get_libdir)/pkgconfig
+ cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+ # create an nss-softokn.pc from nss.pc for libfreebl and some private
headers
+ # bug 517266
+ sed -e 's#Libs:#Libs: -lfreebl#' \
+ -e 's#Cflags:#Cflags: -I${includedir}/private#' \
+ */lib/pkgconfig/nss.pc
>"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+ || die "could not create nss-softokn.pc"
+
+ # all the include files
+ insinto /usr/include/nss
+ doins public/nss/*.h
+ insinto /usr/include/nss/private
+ doins private/nss/{blapi,alghmac}.h
+
+ popd >/dev/null || die
+
+ local f nssutils
+ # Always enabled because we need it for chk generation.
+ nssutils="shlibsign"
+
+ if multilib_is_native_abi ; then
+ if use utils; then
+ # The tests we do not need to install.
+ #nssutils_test="bltest crmftest dbtest dertimetest
+ #fipstest remtest sdrtest"
+ # checkcert utils has been removed in nss-3.22:
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+ # https://hg.mozilla.org/projects/nss/rev/df1729d37870
+ nssutils="addbuiltin atob baddbdir btoa certcgi certutil
+ cmsutil conflict crlutil derdump digest makepqg mangle
modutil multinit
+ nonspr10 ocspclnt oidcalc p7content p7env p7sign
p7verify pk11mode
+ pk12util pp rsaperf selfserv shlibsign signtool signver
ssltap strsclnt
+ symkeyutil tstclnt vfychain vfyserv"
+ # install man-pages for utils (bug #516810)
+ doman doc/nroff/*.1
+ fi
+ pushd dist/*/bin >/dev/null || die
+ for f in ${nssutils}; do
+ dobin ${f}
+ done
+ popd >/dev/null || die
+ fi
+
+ # Prelink breaks the CHK files. We don't have any reliable way to run
+ # shlibsign after prelink.
+ dodir /etc/prelink.conf.d
+ printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n"
${NSS_CHK_SIGN_LIBS} \
+ > "${ED}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+ multilib_pkg_postinst() {
+ # We must re-sign the libraries AFTER they are stripped.
+ local shlibsign="${EROOT}/usr/bin/shlibsign"
+ # See if we can execute it (cross-compiling & such). #436216
+ "${shlibsign}" -h >&/dev/null
+ if [[ $? -gt 1 ]] ; then
+ shlibsign="shlibsign"
+ fi
+ generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+ }
+
+ multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+ multilib_pkg_postrm() {
+ cleanup_chk "${EROOT}"/usr/$(get_libdir)
+ }
+
+ multilib_foreach_abi multilib_pkg_postrm
+}
