diff options
-rw-r--r-- | dev-libs/nss/ChangeLog | 8 | ||||
-rw-r--r-- | dev-libs/nss/nss-3.12.6-r2.ebuild | 186 |
2 files changed, 193 insertions, 1 deletions
diff --git a/dev-libs/nss/ChangeLog b/dev-libs/nss/ChangeLog index 99d70a74b480..e429562cafae 100644 --- a/dev-libs/nss/ChangeLog +++ b/dev-libs/nss/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for dev-libs/nss # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.180 2010/05/31 19:23:22 josejx Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.181 2010/06/16 18:52:52 robbat2 Exp $ + +*nss-3.12.6-r2 (16 Jun 2010) + + 16 Jun 2010; Robin H. Johnson <robbat2@gentoo.org> +nss-3.12.6-r2.ebuild: + Bug #323871: Ensure CHK files are valid more often, and prevent them from + being prelinked since that would break the CHKs. 31 May 2010; Joseph Jezak <josejx@gentoo.org> nss-3.12.6-r1.ebuild: Marked ppc/ppc64 stable for bug #314025. diff --git a/dev-libs/nss/nss-3.12.6-r2.ebuild b/dev-libs/nss/nss-3.12.6-r2.ebuild new file mode 100644 index 000000000000..8ad4d14686d2 --- /dev/null +++ b/dev-libs/nss/nss-3.12.6-r2.ebuild @@ -0,0 +1,186 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.12.6-r2.ebuild,v 1.1 2010/06/16 18:52:52 robbat2 Exp $ + +inherit eutils flag-o-matic multilib toolchain-funcs + +NSPR_VER="4.8.3-r2" +RTM_NAME="NSS_${PV//./_}_RTM" +DESCRIPTION="Mozilla's Network Security Services library that implements PKI support" +HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz" + +LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +IUSE="utils" + +DEPEND="dev-util/pkgconfig" +RDEPEND=">=dev-libs/nspr-${NSPR_VER} + >=dev-db/sqlite-3.5" + +src_unpack() { + unpack ${A} + + cd "${S}" + + # Custom changes for gentoo + epatch "${FILESDIR}/${PN}-3.12.5-gentoo-fixups.diff" + epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch" + + cd "${S}"/mozilla/security/coreconf + + # modify install path + sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \ + -i source.mk + + # Respect LDFLAGS + sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk + + # Ensure we stay multilib aware + sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib" +} + +src_compile() { + strip-flags + + echo > "${T}"/test.c + $(tc-getCC) ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o + case $(file "${T}"/test.o) in + *64-bit*) export USE_64=1;; + *32-bit*) ;; + *) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";; + esac + + export NSPR_INCLUDE_DIR=`nspr-config --includedir` + export NSPR_LIB_DIR=`nspr-config --libdir` + export BUILD_OPT=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSDISTMODE=copy + export NSS_ENABLE_ECC=1 + export XCFLAGS="${CFLAGS}" + export FREEBL_NO_DEPEND=1 + + cd "${S}"/mozilla/security/coreconf + emake -j1 CC="$(tc-getCC)" || die "coreconf make failed" + cd "${S}"/mozilla/security/dbm + emake -j1 CC="$(tc-getCC)" || die "dbm make failed" + cd "${S}"/mozilla/security/nss + emake -j1 CC="$(tc-getCC)" || die "nss make failed" +} + +# Altering these 3 libraries breaks the CHK verification. +# All of the following cause it to break: +# - stripping +# - prelink +# - ELF signing +# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html +# Either we have to NOT strip them, or we have to forcibly resign after +# stripping. +#local_libdir="$(get_libdir)" +#export STRIP_MASK=" +# */${local_libdir}/libfreebl3.so* +# */${local_libdir}/libnssdbm3.so* +# */${local_libdir}/libsoftokn3.so*" + +export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" + +generate_chk() { + local shlibsign="$1" + local libdir="$2" + einfo "Resigning core NSS libraries for FIPS validation" + shift 2 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libname=lib${i}.so + local chkname=lib${i}.chk + "${shlibsign}" \ + -i "${libdir}"/${libname} \ + -o "${libdir}"/${chkname}.tmp \ + && mv -f \ + "${libdir}"/${chkname}.tmp \ + "${libdir}"/${chkname} \ + || die "Failed to sign ${libname}" + done +} + +cleanup_chk() { + local libdir="$1" + shift 1 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libfname="${libdir}/lib${i}.so" + # If the major version has changed, then we have old chk files. + [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ + && rm -f "${libfname}.chk" + done +} + +src_install () { + MINOR_VERSION=12 + cd "${S}"/mozilla/security/dist + + dodir /usr/$(get_libdir) + cp -L */lib/*.so "${D}"/usr/$(get_libdir) || die "copying shared libs failed" + # We generate these after stripping the libraries, else they don't match. + #cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed" + cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) || die "copying libs failed" + + # Install nss-config and pkgconfig file + dodir /usr/bin + cp -L */bin/nss-config "${D}"/usr/bin + dodir /usr/$(get_libdir)/pkgconfig + cp -L */lib/pkgconfig/nss.pc "${D}"/usr/$(get_libdir)/pkgconfig + + # all the include files + insinto /usr/include/nss + doins public/nss/*.h + cd "${D}"/usr/$(get_libdir) + for file in *.so; do + mv ${file} ${file}.${MINOR_VERSION} + ln -s ${file}.${MINOR_VERSION} ${file} + done + + local nssutils + # Always enabled because we need it for chk generation. + nssutils="shlibsign" + if use utils; then + # The tests we do not need to install. + #nssutils_test="bltest crmftest dbtest dertimetest + #fipstest remtest sdrtest" + nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert + cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit + nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode + pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt + symkeyutil tstclnt vfychain vfyserv" + fi + cd "${S}"/mozilla/security/dist/*/bin/ + for f in $nssutils; do + dobin ${f} + done + + # Prelink breaks the CHK files. We don't have any reliable way to run + # shlibsign after prelink. + declare -a libs + for l in ${NSS_CHK_SIGN_LIBS} ; do + libs+=("/usr/$(get_libdir)/lib${l}.so") + done + OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}" + echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" + unset libs liblist + doenvd "${T}/90nss" +} + +pkg_postinst() { + elog "We have reverted back to using upstreams soname." + elog "Please run revdep-rebuild --library libnss3.so.12 , this" + elog "will correct most issues. If you find a binary that does" + elog "not run please re-emerge package to ensure it properly" + elog " links after upgrade." + elog + # We must re-sign the libraries AFTER they are stripped. + generate_chk "${ROOT}"/usr/bin/shlibsign "${ROOT}"/usr/$(get_libdir) +} + +pkg_postrm() { + cleanup_chk "${ROOT}"/usr/$(get_libdir) +} + |