diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/nss/default.nix')
| -rw-r--r-- | nixpkgs/pkgs/development/libraries/nss/default.nix | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/nixpkgs/pkgs/development/libraries/nss/default.nix b/nixpkgs/pkgs/development/libraries/nss/default.nix index 8c8a25d807e7..17dc93c9f1ea 100644 --- a/nixpkgs/pkgs/development/libraries/nss/default.nix +++ b/nixpkgs/pkgs/development/libraries/nss/default.nix @@ -1,11 +1,21 @@ -{ stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja }: +{ stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja +, # allow FIPS mode. Note that this makes the output non-reproducible. + # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 + enableFIPS ? false +}: let nssPEM = fetchurl { url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz"; sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw"; }; - version = "3.58"; + + # NOTE: Whenever you updated this version check if the `cacert` package also + # needs an update. You can run the regular updater script for cacerts. + # It will rebuild itself using the version of this package (NSS) and if + # an update is required do the required changes to the expression. + # Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert + version = "3.60"; underscoreVersion = builtins.replaceStrings ["."] ["_"] version; in stdenv.mkDerivation rec { @@ -14,16 +24,15 @@ in stdenv.mkDerivation rec { src = fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz"; - sha256 = "1h2kjdicnxprwf6brw0qinlay34vc0dmafajisbrn42zkdwcywwz"; + sha256 = "0ggyj3ax3kal65sl1vl4nfhx2s08blg4dg8iwlxcax5qb9bxbaw4"; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ perl ninja (buildPackages.python3.withPackages (ps: with ps; [ gyp ])) ] - ++ stdenv.lib.optional stdenv.isDarwin darwin.cctools; + ++ stdenv.lib.optionals stdenv.hostPlatform.isDarwin [ darwin.cctools fixDarwinDylibNames ]; - buildInputs = [ zlib sqlite ] - ++ stdenv.lib.optional stdenv.isDarwin fixDarwinDylibNames; + buildInputs = [ zlib sqlite ]; propagatedBuildInputs = [ nspr ]; @@ -68,6 +77,9 @@ in stdenv.mkDerivation rec { else if platform.isx86_32 then "ia32" else if platform.isAarch32 then "arm" else if platform.isAarch64 then "arm64" + else if platform.isPower && platform.is64bit then ( + if platform.isLittleEndian then "ppc64le" else "ppc64" + ) else platform.parsed.cpu.name; # yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on target = getArch stdenv.hostPlatform; @@ -84,6 +96,7 @@ in stdenv.mkDerivation rec { -Dhost_arch=${host} \ -Duse_system_zlib=1 \ --enable-libpkix \ + ${stdenv.lib.optionalString enableFIPS "--enable-fips"} \ ${stdenv.lib.optionalString stdenv.isDarwin "--clang"} \ ${stdenv.lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"} @@ -129,7 +142,8 @@ in stdenv.mkDerivation rec { postFixup = let isCross = stdenv.hostPlatform != stdenv.buildPlatform; nss = if isCross then buildPackages.nss.tools else "$out"; - in '' + in + (stdenv.lib.optionalString enableFIPS ('' for libname in freebl3 nssdbm3 softokn3 do '' + (if stdenv.isDarwin @@ -142,7 +156,8 @@ in stdenv.mkDerivation rec { '') + '' ${nss}/bin/shlibsign -v -i "$libfile" done - + '')) + + '' moveToOutput bin "$tools" moveToOutput bin/nss-config "$dev" moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example |