commit:     22aa8bae27e2d4856f31bb1e722e42c3d4aa237d
Author:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
AuthorDate: Thu Dec  1 20:15:12 2016 +0000
Commit:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Thu Dec  1 20:34:03 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22aa8bae

dev-libs/nss: bump to 3.27.2, add cacert class-1 certs to USE=cacert

Package-Manager: portage-2.3.0

 dev-libs/nss/Manifest          |   2 +
 dev-libs/nss/nss-3.27.2.ebuild | 339 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 341 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 73164e5..998387a 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -5,7 +5,9 @@ DIST nss-3.23.tar.gz 7467001 SHA256 
94b383e31c9671e9dfcca81084a8a813817e8f05a57f
 DIST nss-3.25.tar.gz 7338238 SHA256 
5d1ad475da19d0c033a716350dc5f8a747999d3eba5ac07ee0368c5bad6e2359 SHA512 
a33cff42d0d85eea091057648d598b7421de88f16ed357965ea08a8812de968c3f18d45452afd21afc90122f65c2c5bb2d7071357947b45e935aae55d28c4218
 WHIRLPOOL 
3857bffe7a58043612bbeaf0e596b3afdd4f0792441af667fb503dd2d354a535bb8523c258242b470d888ef2beff267b4480e6398a3328f0c44193b83f4a5934
 DIST nss-3.26.1.tar.gz 7387756 SHA256 
abebb079288e4b0d34648a1fcdba8564ac05b29f5f1d19b53021ccb3ac37ad25 SHA512 
f2a6754e4766cdf169b0abfc0ff47c469ae0e6ddc08c020ef154da7806e8ce31b49076af11b659bf19e9c4b5c6e53a0ac9e7855ee1c33b98a45cfeec446b93bd
 WHIRLPOOL 
9152e3c7430b3362647adb494d1983cc37659b1d8691f1f1e21470aab4f496f3aecd925b8e19d83fa3735e72eeb6d6579bcc304c30e48359d05cb6e052610b0f
 DIST nss-3.27.1.tar.gz 7397737 SHA256 
fd3637a1930cd838239a89633a7ed9a18859ae9b599043f3a18f726dc4ec2a6b SHA512 
b52bc18e42cab78a325a8c4fcf2894ca879cecbb657a852baf460551ed9727f145bc328ebb61a43a1605b457f923a1495707ac4aee27be70220463818ed8db8d
 WHIRLPOOL 
17174b7d43bd82b9e805d653a7ea8b79bc2647a5891806c1cb77e2ac99e40eb64ffee03e105a41c375ba37e26cafeff4bd4bad27c48e94ed388d0215d0545364
+DIST nss-3.27.2.tar.gz 7397599 SHA256 
dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524 SHA512 
699847665e93fd649cb60ce6bc8f849f452779e7232a09bbeb0613f9e6c57bb81948f1ae59cc86648e41a212cda259109850ccd14546d35910deb75f5d2a13b8
 WHIRLPOOL 
08229d87de1c7020c1d7fc12fb8a2afc4bc9ab9f0208aad12698aba17386fbe9163cb506101c7d4d568409fd99141fb88c0e71fc32cecbc6640a4a8f7a4efabf
 DIST nss-3.27.tar.gz 7397210 SHA256 
021aa936b06f5815474dd5c137f2325b3fe06caa38d9798ca53ec30b537301fa SHA512 
a79c31d3ade72897928cdb1cfbf9236ea781fb1951904f2f5d9688afc4e55722ba75ea5a46622d1fa45d55bb2666d05a0df3a2c2ac16ce53335722618523c272
 WHIRLPOOL 
16277ba6cb3c71afeab7a5ce92ba0b3c0ec8622edc87bb1fe48dad86a910fa71a09db4c83ec8a973a048c5b925dbad2bc9d6361a66b94744479c47364e7ad5c5
+DIST nss-cacert-class1-class3.patch 22950 SHA256 
6bba29cee34276e2ca6436dabedfeba2b61fb46668c5d5ceabf0c871574649bf SHA512 
a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
 WHIRLPOOL 
1246223b01292604e5609bb9c580f092dc5937bf8c98f6891b099e8bab960e03612b6617e30a55d6ff8817d88f190e03812fe8f89f84f25c20970493dc2f7700
 DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256 
50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512 
0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501
 WHIRLPOOL 
279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
 DIST nss-pem-20140125.tar.bz2 28805 SHA256 
62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 
352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39
 WHIRLPOOL 
3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62
 DIST nss-pem-20160329.tar.xz 27732 SHA256 
6c13c342e7a9fe34b585556099beca33c3078b3df3e11b72827fb70232ac1443 SHA512 
5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2
 WHIRLPOOL 
16fb714fab29e44f7a15fa1928a0f4c1a770f0847b8da97816e29a3b124dee782cffe2357648c445f4d29081f349571b6fffe48c5bc725c7c2dde491f3e0e836

diff --git a/dev-libs/nss/nss-3.27.2.ebuild b/dev-libs/nss/nss-3.27.2.ebuild
new file mode 100644
index 00000000..231ea3e
--- /dev/null
+++ b/dev-libs/nss/nss-3.27.2.ebuild
@@ -0,0 +1,339 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.12"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
+PEM_P="${PN}-pem-20160329"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI 
support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/";
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+       cacert? ( 
https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
+       nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos 
~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+       >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+       >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+       ${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+       ${CDEPEND}
+       abi_x86_32? (
+               !<=app-emulation/emul-linux-x86-baselibs-20140508-r12
+               !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+       )"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+       /usr/bin/nss-config
+)
+
+PATCHES=(
+       # Custom changes for gentoo
+       "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
+       "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+       "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+)
+
+src_unpack() {
+       unpack ${A}
+       if use nss-pem ; then
+               mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+       fi
+}
+
+src_prepare() {
+       if use nss-pem ; then
+               PATCHES+=(
+                       "${FILESDIR}/${PN}-3.21-enable-pem.patch"
+               )
+       fi
+       if use cacert ; then #521462
+               PATCHES+=(
+                       "${DISTDIR}/${PN}-cacert-class1-class3.patch"
+               )
+       fi
+
+       default
+
+       pushd coreconf >/dev/null || die
+       # hack nspr paths
+       echo 'INCLUDES += -I$(DIST)/include/dbm' \
+               >> headers.mk || die "failed to append include"
+
+       # modify install path
+       sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = 
$(CORE_DEPTH)/dist:' \
+               -i source.mk || die
+
+       # Respect LDFLAGS
+       sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+       popd >/dev/null || die
+
+       # Fix pkgconfig file for Prefix
+       sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+               config/Makefile || die
+
+       # use host shlibsign if need be #436216
+       if tc-is-cross-compiler ; then
+               sed -i \
+                       -e 's:"${2}"/shlibsign:shlibsign:' \
+                       cmd/shlibsign/sign.sh || die
+       fi
+
+       # dirty hack
+       sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+               lib/ssl/config.mk || die
+       sed -i -e 
"/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+               cmd/platlibs.mk || die
+
+       multilib_copy_sources
+
+       strip-flags
+}
+
+multilib_src_configure() {
+       # Ensure we stay multilib aware
+       sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+       # Most of the arches are the same as $ARCH
+       local t=${1:-${CHOST}}
+       case ${t} in
+               aarch64*)echo "aarch64";;
+               hppa*)   echo "parisc";;
+               i?86*)   echo "i686";;
+               x86_64*) echo "x86_64";;
+               *)       tc-arch ${t};;
+       esac
+}
+
+nssbits() {
+       local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+       if [[ ${1} == BUILD_ ]]; then
+               cc=$(tc-getBUILD_CC)
+       else
+               cc=$(tc-getCC)
+       fi
+       echo > "${T}"/test.c || die
+       ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || 
die
+       case $(file "${T}/${1}test.o") in
+               *32-bit*x86-64*) echo USE_X32=1;;
+               *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+               *32-bit*|*ppc*|*i386*) ;;
+               *) die "Failed to detect whether ${cc} builds 64bits or 32bits, 
disable distcc if you're using it, please";;
+       esac
+}
+
+multilib_src_compile() {
+       # use ABI to determine bit'ness, or fallback if unset
+       local buildbits mybits
+       case "${ABI}" in
+               n32) mybits="USE_N32=1";;
+               x32) mybits="USE_X32=1";;
+               s390x|*64) mybits="USE_64=1";;
+               ${DEFAULT_ABI})
+                       einfo "Running compilation test to determine bit'ness"
+                       mybits=$(nssbits)
+                       ;;
+       esac
+       # bitness of host may differ from target
+       if tc-is-cross-compiler; then
+               buildbits=$(nssbits BUILD_)
+       fi
+
+       local makeargs=(
+               CC="$(tc-getCC)"
+               AR="$(tc-getAR) rc \$@"
+               RANLIB="$(tc-getRANLIB)"
+               OPTIMIZER=
+               ${mybits}
+       )
+
+       # Take care of nspr settings #436216
+       local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+       unset NSPR_INCLUDE_DIR
+
+       # Do not let `uname` be used.
+       if use kernel_linux ; then
+               makeargs+=(
+                       OS_TARGET=Linux
+                       OS_RELEASE=2.6
+                       OS_TEST="$(nssarch)"
+               )
+       fi
+
+       export NSS_ENABLE_WERROR=0 #567158
+       export BUILD_OPT=1
+       export NSS_USE_SYSTEM_SQLITE=1
+       export NSDISTMODE=copy
+       export NSS_ENABLE_ECC=1
+       export FREEBL_NO_DEPEND=1
+       export ASFLAGS=""
+
+       local d
+
+       # Build the host tools first.
+       LDFLAGS="${BUILD_LDFLAGS}" \
+       XCFLAGS="${BUILD_CFLAGS}" \
+       NSPR_LIB_DIR="${T}/fakedir" \
+       emake -j1 -C coreconf \
+               CC="$(tc-getBUILD_CC)" \
+               ${buildbits:-${mybits}}
+       makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+       # Then build the target tools.
+       for d in . lib/dbm ; do
+               CPPFLAGS="${myCPPFLAGS}" \
+               XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+               NSPR_LIB_DIR="${T}/fakedir" \
+               emake -j1 "${makeargs[@]}" -C ${d}
+       done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#      */${local_libdir}/libfreebl3.so*
+#      */${local_libdir}/libnssdbm3.so*
+#      */${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+       local shlibsign="$1"
+       local libdir="$2"
+       einfo "Resigning core NSS libraries for FIPS validation"
+       shift 2
+       local i
+       for i in ${NSS_CHK_SIGN_LIBS} ; do
+               local libname=lib${i}.so
+               local chkname=lib${i}.chk
+               "${shlibsign}" \
+                       -i "${libdir}"/${libname} \
+                       -o "${libdir}"/${chkname}.tmp \
+               && mv -f \
+                       "${libdir}"/${chkname}.tmp \
+                       "${libdir}"/${chkname} \
+               || die "Failed to sign ${libname}"
+       done
+}
+
+cleanup_chk() {
+       local libdir="$1"
+       shift 1
+       local i
+       for i in ${NSS_CHK_SIGN_LIBS} ; do
+               local libfname="${libdir}/lib${i}.so"
+               # If the major version has changed, then we have old chk files.
+               [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+                       && rm -f "${libfname}.chk"
+       done
+}
+
+multilib_src_install() {
+       pushd dist >/dev/null || die
+
+       dodir /usr/$(get_libdir)
+       cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying 
shared libs failed"
+       cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs 
failed"
+       cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs 
failed"
+
+       # Install nss-config and pkgconfig file
+       dodir /usr/bin
+       cp -L */bin/nss-config "${ED}"/usr/bin || die
+       dodir /usr/$(get_libdir)/pkgconfig
+       cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+       # create an nss-softokn.pc from nss.pc for libfreebl and some private 
headers
+       # bug 517266
+       sed     -e 's#Libs:#Libs: -lfreebl#' \
+               -e 's#Cflags:#Cflags: -I${includedir}/private#' \
+               */lib/pkgconfig/nss.pc 
>"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+               || die "could not create nss-softokn.pc"
+
+       # all the include files
+       insinto /usr/include/nss
+       doins public/nss/*.h
+       insinto /usr/include/nss/private
+       doins private/nss/{blapi,alghmac}.h
+
+       popd >/dev/null || die
+
+       local f nssutils
+       # Always enabled because we need it for chk generation.
+       nssutils="shlibsign"
+
+       if multilib_is_native_abi ; then
+               if use utils; then
+                       # The tests we do not need to install.
+                       #nssutils_test="bltest crmftest dbtest dertimetest
+                       #fipstest remtest sdrtest"
+                       # checkcert utils has been removed in nss-3.22:
+                       # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+                       # https://hg.mozilla.org/projects/nss/rev/df1729d37870
+                       nssutils="addbuiltin atob baddbdir btoa certcgi certutil
+                       cmsutil conflict crlutil derdump digest makepqg mangle 
modutil multinit
+                       nonspr10 ocspclnt oidcalc p7content p7env p7sign 
p7verify pk11mode
+                       pk12util pp rsaperf selfserv shlibsign signtool signver 
ssltap strsclnt
+                       symkeyutil tstclnt vfychain vfyserv"
+                       # install man-pages for utils (bug #516810)
+                       doman doc/nroff/*.1
+               fi
+               pushd dist/*/bin >/dev/null || die
+               for f in ${nssutils}; do
+                       dobin ${f}
+               done
+               popd >/dev/null || die
+       fi
+
+       # Prelink breaks the CHK files. We don't have any reliable way to run
+       # shlibsign after prelink.
+       dodir /etc/prelink.conf.d
+       printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" 
${NSS_CHK_SIGN_LIBS} \
+               > "${ED}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+       multilib_pkg_postinst() {
+               # We must re-sign the libraries AFTER they are stripped.
+               local shlibsign="${EROOT}/usr/bin/shlibsign"
+               # See if we can execute it (cross-compiling & such). #436216
+               "${shlibsign}" -h >&/dev/null
+               if [[ $? -gt 1 ]] ; then
+                       shlibsign="shlibsign"
+               fi
+               generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+       }
+
+       multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+       multilib_pkg_postrm() {
+               cleanup_chk "${EROOT}"/usr/$(get_libdir)
+       }
+
+       multilib_foreach_abi multilib_pkg_postrm
+}

Reply via email to