diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/nss')
7 files changed, 376 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.85+.patch b/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.85+.patch new file mode 100644 index 000000000000..bc3f48e66744 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.85+.patch @@ -0,0 +1,76 @@ +diff --git nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c +index ad8f3b84e..74676d039 100644 +--- nss/cmd/shlibsign/shlibsign.c ++++ nss/cmd/shlibsign/shlibsign.c +@@ -875,6 +875,8 @@ main(int argc, char **argv) + goto cleanup; + } + lib = PR_LoadLibrary(libname); ++ if (!lib) ++ lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so"); + assert(lib != NULL); + if (!lib) { + PR_fprintf(PR_STDERR, "loading softokn3 failed"); +diff --git nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c +index 119c8c512..720d39ccc 100644 +--- nss/lib/pk11wrap/pk11load.c ++++ nss/lib/pk11wrap/pk11load.c +@@ -486,6 +486,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) + #else + library = PR_LoadLibrary(mod->dllName); + #endif // defined(_WIN32) ++#ifndef NSS_STATIC_SOFTOKEN ++ if ((library == NULL) && ++ !rindex(mod->dllName, PR_GetDirectorySeparator())) { ++ library = PORT_LoadLibraryFromOrigin(my_shlib_name, ++ (PRFuncPtr) &softoken_LoadDSO, ++ mod->dllName); ++ } ++#endif ++ + mod->library = (void *)library; + + if (library == NULL) { +diff --git nss/lib/util/secload.c nss/lib/util/secload.c +index 1cebae4e2..9194bb761 100644 +--- nss/lib/util/secload.c ++++ nss/lib/util/secload.c +@@ -70,9 +70,14 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name) + + /* Remove the trailing filename from referencePath and add the new one */ + c = strrchr(referencePath, PR_GetDirectorySeparator()); ++ if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0] ++ * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */ ++ referencePath = NIX_NSS_LIBDIR; ++ c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */ ++ } + if (c) { + size_t referencePathSize = 1 + c - referencePath; +- fullName = (char*)PORT_Alloc(strlen(name) + referencePathSize + 1); ++ fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5); + if (fullName) { + memcpy(fullName, referencePath, referencePathSize); + strcpy(fullName + referencePathSize, name); +@@ -82,6 +87,11 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name) + #endif + libSpec.type = PR_LibSpec_Pathname; + libSpec.value.pathname = fullName; ++ if ((referencePathSize >= 4) && ++ (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) { ++ memcpy(fullName + referencePathSize -4, "lib", 3); ++ } ++ strcpy(fullName + referencePathSize, name); + dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL + #ifdef PR_LD_ALT_SEARCH_PATH + /* allow library's dependencies to be found in the same directory +@@ -89,6 +99,10 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name) + | PR_LD_ALT_SEARCH_PATH + #endif + ); ++ if (!dlh) { ++ strcpy(fullName + referencePathSize, name); ++ dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); ++ } + PORT_Free(fullName); + } + } diff --git a/nixpkgs/pkgs/development/libraries/nss/esr.nix b/nixpkgs/pkgs/development/libraries/nss/esr.nix new file mode 100644 index 000000000000..95c9aa0e1997 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/esr.nix @@ -0,0 +1,4 @@ +import ./generic.nix { + version = "3.90.2"; + hash = "sha256-4r/LhKilkSeEhw/rl2IRAn5xMJ74W5ACg7fX0e4GQxA="; +} diff --git a/nixpkgs/pkgs/development/libraries/nss/fix-cross-compilation.patch b/nixpkgs/pkgs/development/libraries/nss/fix-cross-compilation.patch new file mode 100644 index 000000000000..42b0620f48d9 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/fix-cross-compilation.patch @@ -0,0 +1,11 @@ +--- nss/nss.gyp ++++ nss/nss.gyp +@@ -280,7 +280,7 @@ + 'outputs/': [['exclude', 'nssdbm3']] + }], + ], +- 'action': ['<(python)', '<(DEPTH)/coreconf/shlibsign.py', '<@(_inputs)'] ++ 'action': ['true'] + } + ], + }, diff --git a/nixpkgs/pkgs/development/libraries/nss/generic.nix b/nixpkgs/pkgs/development/libraries/nss/generic.nix new file mode 100644 index 000000000000..cab8a0ff2bc1 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/generic.nix @@ -0,0 +1,196 @@ +{ version, hash }: +{ lib +, stdenv +, fetchFromGitHub +, nspr +, perl +, zlib +, sqlite +, ninja +, darwin +, fixDarwinDylibNames +, buildPackages +, useP11kit ? true +, p11-kit +, # allow FIPS mode. Note that this makes the output non-reproducible. + # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 + enableFIPS ? false +, nixosTests +, nss_latest +}: + +let + underscoreVersion = lib.replaceStrings [ "." ] [ "_" ] version; +in +stdenv.mkDerivation rec { + pname = "nss"; + inherit version; + + src = fetchFromGitHub { + owner = "nss-dev"; + repo = "nss"; + rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; + inherit hash; + }; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + + nativeBuildInputs = [ perl ninja (buildPackages.python3.withPackages (ps: with ps; [ gyp ])) ] + ++ lib.optionals stdenv.hostPlatform.isDarwin [ darwin.cctools fixDarwinDylibNames ]; + + buildInputs = [ zlib sqlite ]; + + propagatedBuildInputs = [ nspr ]; + + patches = [ + # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch + ./85_security_load_3.85+.patch + ./fix-cross-compilation.patch + ] ++ lib.optionals (lib.versionOlder version "3.91") [ + # https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 + # https://phabricator.services.mozilla.com/D180068 + ./remove-c25519-support.patch + ]; + + postPatch = '' + patchShebangs . + + for f in coreconf/config.gypi build.sh; do + substituteInPlace "$f" --replace "/usr/bin/env" "${buildPackages.coreutils}/bin/env" + done + + substituteInPlace coreconf/config.gypi --replace "/usr/bin/grep" "${buildPackages.coreutils}/bin/env grep" + '' + lib.optionalString stdenv.hostPlatform.isDarwin '' + substituteInPlace coreconf/Darwin.mk --replace '@executable_path/$(notdir $@)' "$out/lib/\$(notdir \$@)" + substituteInPlace coreconf/config.gypi --replace "'DYLIB_INSTALL_NAME_BASE': '@executable_path'" "'DYLIB_INSTALL_NAME_BASE': '$out/lib'" + ''; + + outputs = [ "out" "dev" "tools" ]; + + buildPhase = + let + getArch = platform: + if platform.isx86_64 then "x64" + else if platform.isx86_32 then "ia32" + else if platform.isAarch32 then "arm" + else if platform.isAarch64 then "arm64" + else if platform.isPower && platform.is64bit then + ( + if platform.isLittleEndian then "ppc64le" else "ppc64" + ) + else platform.parsed.cpu.name; + # yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on + target = getArch stdenv.hostPlatform; + host = getArch stdenv.buildPlatform; + in + '' + runHook preBuild + + sed -i 's|nss_dist_dir="$dist_dir"|nss_dist_dir="'$out'"|;s|nss_dist_obj_dir="$obj_dir"|nss_dist_obj_dir="'$out'"|' build.sh + ./build.sh -v --opt \ + --with-nspr=${nspr.dev}/include:${nspr.out}/lib \ + --system-sqlite \ + --enable-legacy-db \ + --target ${target} \ + -Dhost_arch=${host} \ + -Duse_system_zlib=1 \ + --enable-libpkix \ + -j $NIX_BUILD_CORES \ + ${lib.optionalString enableFIPS "--enable-fips"} \ + ${lib.optionalString stdenv.isDarwin "--clang"} \ + ${lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"} + + runHook postBuild + ''; + + env.NIX_CFLAGS_COMPILE = toString ([ + "-Wno-error" + "-DNIX_NSS_LIBDIR=\"${placeholder "out"}/lib/\"" + ] ++ lib.optionals stdenv.hostPlatform.is64bit [ + "-DNSS_USE_64=1" + ] ++ lib.optionals stdenv.hostPlatform.isILP32 [ + "-DNS_PTR_LE_32=1" # See RNG_RandomUpdate() in drdbg.c + ]); + + installPhase = '' + runHook preInstall + + rm -rf $out/private + find $out -name "*.TOC" -delete + mv $out/public $out/include + + ln -s lib $out/lib64 + + # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672 + # https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a + NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h | awk '{print $3}'` + NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h | awk '{print $3}'` + NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h | awk '{print $3}'` + PREFIX="$out" + + mkdir -p $out/lib/pkgconfig + sed -e "s,%prefix%,$PREFIX," \ + -e "s,%exec_prefix%,$PREFIX," \ + -e "s,%libdir%,$PREFIX/lib64," \ + -e "s,%includedir%,$dev/include/nss," \ + -e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \ + -e "s,%NSPR_VERSION%,4.16,g" \ + pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc + chmod 0644 $out/lib/pkgconfig/nss.pc + + sed -e "s,@prefix@,$PREFIX," \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \ + -e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \ + -e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \ + pkg/pkg-config/nss-config.in > $out/bin/nss-config + chmod 0755 $out/bin/nss-config + ''; + + postInstall = lib.optionalString useP11kit '' + # Replace built-in trust with p11-kit connection + ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so + ''; + + postFixup = + let + isCross = stdenv.hostPlatform != stdenv.buildPlatform; + nss = if isCross then buildPackages.nss.tools else "$out"; + in + (lib.optionalString enableFIPS ('' + for libname in freebl3 nssdbm3 softokn3 + do libfile="$out/lib/lib$libname${stdenv.hostPlatform.extensions.sharedLibrary}"'' + + (if stdenv.isDarwin + then '' + DYLD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \ + '' else '' + LD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \ + '') + '' + ${nss}/bin/shlibsign -v -i "$libfile" + done + '')) + + '' + moveToOutput bin "$tools" + moveToOutput bin/nss-config "$dev" + moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example + rm -f "$out"/lib/*.a + + runHook postInstall + ''; + + passthru.updateScript = ./update.sh; + + passthru.tests = lib.optionalAttrs (lib.versionOlder version nss_latest.version) { + inherit (nixosTests) firefox-esr-115; + } // lib.optionalAttrs (lib.versionAtLeast version nss_latest.version) { + inherit (nixosTests) firefox; + }; + + meta = with lib; { + homepage = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"; + description = "A set of libraries for development of security-enabled client and server applications"; + changelog = "https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_${underscoreVersion}.rst"; + maintainers = with maintainers; [ hexa ajs124 ]; + license = licenses.mpl20; + platforms = platforms.all; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/nss/latest.nix b/nixpkgs/pkgs/development/libraries/nss/latest.nix new file mode 100644 index 000000000000..8ac5a3b23a85 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/latest.nix @@ -0,0 +1,10 @@ +# NOTE: Whenever you updated this version check if the `cacert` package also +# needs an update. You can run the regular updater script for cacerts. +# It will rebuild itself using the version of this package (NSS) and if +# an update is required do the required changes to the expression. +# Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert + +import ./generic.nix { + version = "3.99"; + hash = "sha256-6JocWJpA+VjEPZOxmD74toyEBLOTzCxSWUzrxPi52bU="; +} diff --git a/nixpkgs/pkgs/development/libraries/nss/remove-c25519-support.patch b/nixpkgs/pkgs/development/libraries/nss/remove-c25519-support.patch new file mode 100644 index 000000000000..d5dba016278f --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/remove-c25519-support.patch @@ -0,0 +1,69 @@ +diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile +index 74e8e65..aa9dd95 100644 +--- nss/lib/freebl/Makefile ++++ nss/lib/freebl/Makefile +@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc) + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT + else ifeq (1,$(CC_IS_GCC)) +- SUPPORTS_VALE_CURVE25519 = 1 + ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION)))) + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT +@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT + DEFINES += -DKRML_VERIFIED_UINT128 + endif + +-ifdef SUPPORTS_VALE_CURVE25519 +- VERIFIED_SRCS += Hacl_Curve25519_64.c +- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM +-endif +- + ifndef NSS_DISABLE_CHACHAPOLY + ifeq ($(CPU_ARCH),x86_64) + ifndef NSS_DISABLE_AVX2 +diff --git a/nss/lib/freebl/freebl.gyp b/nss/lib/freebl/freebl.gyp +index 65f9a80..23940ef 100644 +--- nss/lib/freebl/freebl.gyp ++++ nss/lib/freebl/freebl.gyp +@@ -866,12 +866,6 @@ + }], + ], + }], +- [ 'supports_vale_curve25519==1', { +- 'defines': [ +- # The Makefile does version-tests on GCC, but we're not doing that here. +- 'HACL_CAN_COMPILE_INLINE_ASM', +- ], +- }], + [ 'OS=="linux" or OS=="android"', { + 'conditions': [ + [ 'target_arch=="x64"', { +@@ -934,11 +928,6 @@ + 'variables': { + 'module': 'nss', + 'conditions': [ +- [ 'target_arch=="x64" and cc_is_gcc==1', { +- 'supports_vale_curve25519%': 1, +- }, { +- 'supports_vale_curve25519%': 0, +- }], + [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { + 'have_int128_support%': 1, + }, { +diff --git a/nss/lib/freebl/freebl_base.gypi b/nss/lib/freebl/freebl_base.gypi +index d198c44..34b6b3c 100644 +--- nss/lib/freebl/freebl_base.gypi ++++ nss/lib/freebl/freebl_base.gypi +@@ -151,11 +151,6 @@ + 'ecl/curve25519_32.c', + ], + }], +- ['supports_vale_curve25519==1', { +- 'sources': [ +- 'verified/Hacl_Curve25519_64.c', +- ], +- }], + ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', { + 'sources': [ + # Gyp does not support per-file cflags, so working around like this. diff --git a/nixpkgs/pkgs/development/libraries/nss/update.sh b/nixpkgs/pkgs/development/libraries/nss/update.sh new file mode 100755 index 000000000000..600dbdff004c --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/nss/update.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnugrep gnused coreutils common-updater-scripts + +set -x + +base_url="https://ftp.mozilla.org/pub/security/nss/releases/" + +version="$(curl -sSL ${base_url} | grep 'RTM' | grep -v WITH_CKBI | sed 's|.*>\(NSS_[0-9]*_[0-9]*_*[0-9]*_*[0-9]*_RTM\)/.*|\1|g' | sed 's|NSS_||g' | sed 's|_RTM||g' | sed 's|_|.|g' | sort -V | tail -1)" +hash="$(nix-hash --type sha256 --base32 ${base_url}/NSS_${version/\./_}_RTM/src/nss-${version}.tar.gz)" +update-source-version nss "${version}" "${hash}" |