2021-02-19 19:06:45 +00:00
{ lib , stdenv , fetchurl , nspr , perl , zlib
, sqlite , ninja
, darwin , fixDarwinDylibNames , buildPackages
, useP11kit ? true , p11-kit
2020-11-12 09:05:59 +00:00
, # allow FIPS mode. Note that this makes the output non-reproducible.
# https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
enableFIPS ? false
} :
2020-04-24 23:36:52 +00:00
let
nssPEM = fetchurl {
url = " h t t p : / / d e v . g e n t o o . o r g / ~ p o l y n o m i a l - c / m o z i l l a / n s s - 3 . 1 5 . 4 - p e m - s u p p o r t - 2 0 1 4 0 1 0 9 . p a t c h . x z " ;
sha256 = " 1 0 i b z 6 y 0 h k n a c 1 5 z r 6 d w 4 g v 9 n b 5 r 5 z 9 y m 6 g q 1 8 j 3 x q x 7 v 7 n 3 v p d w " ;
} ;
2020-11-19 00:13:47 +00:00
# NOTE: Whenever you updated this version check if the `cacert` package also
# needs an update. You can run the regular updater script for cacerts.
# It will rebuild itself using the version of this package (NSS) and if
# an update is required do the required changes to the expression.
# Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
2021-03-15 08:37:03 +00:00
version = " 3 . 6 2 " ;
2020-04-24 23:36:52 +00:00
underscoreVersion = builtins . replaceStrings [ " . " ] [ " _ " ] version ;
in stdenv . mkDerivation rec {
pname = " n s s " ;
inherit version ;
src = fetchurl {
url = " m i r r o r : / / m o z i l l a / s e c u r i t y / n s s / r e l e a s e s / N S S _ ${ underscoreVersion } _ R T M / s r c / ${ pname } - ${ version } . t a r . g z " ;
2021-03-15 08:37:03 +00:00
sha256 = " 0 y 2 l d 9 0 b n c j j g g r n 6 4 c 7 g 7 m q 9 i 0 3 z 6 d c 3 r 2 k z 9 7 8 s n z 2 x i y d z m l 6 " ;
2020-04-24 23:36:52 +00:00
} ;
depsBuildBuild = [ buildPackages . stdenv . cc ] ;
2020-08-20 17:08:02 +00:00
nativeBuildInputs = [ perl ninja ( buildPackages . python3 . withPackages ( ps : with ps ; [ gyp ] ) ) ]
2021-02-05 17:12:51 +00:00
++ lib . optionals stdenv . hostPlatform . isDarwin [ darwin . cctools fixDarwinDylibNames ] ;
2020-04-24 23:36:52 +00:00
2020-11-12 09:05:59 +00:00
buildInputs = [ zlib sqlite ] ;
2020-04-24 23:36:52 +00:00
propagatedBuildInputs = [ nspr ] ;
prePatch = ''
2020-05-15 21:57:56 +00:00
# strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_
xz - d < $ { nssPEM } | sed \
2020-08-20 17:08:02 +00:00
- e ' s/-DIRS = builtins $ /-DIRS = . builtins /g ' \
2020-05-15 21:57:56 +00:00
- e ' s/CKO_NETSCAPE_/CKO_NSS_/g ' \
- e ' s/CKT_NETSCAPE_/CKT_NSS_/g ' \
| patch - p1
2020-08-20 17:08:02 +00:00
patchShebangs nss
for f in nss/coreconf/config.gypi nss/build.sh nss/coreconf/config.gypi ; do
substituteInPlace " $ f " - - replace " / u s r / b i n / e n v " " ${ buildPackages . coreutils } / b i n / e n v "
done
substituteInPlace nss/coreconf/config.gypi - - replace " / u s r / b i n / g r e p " " ${ buildPackages . coreutils } / b i n / e n v g r e p "
2020-04-24 23:36:52 +00:00
'' ;
patches =
[
# Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
./85_security_load.patch
./ckpem.patch
2020-08-20 17:08:02 +00:00
./fix-cross-compilation.patch
2020-04-24 23:36:52 +00:00
] ;
patchFlags = [ " - p 0 " ] ;
2021-02-05 17:12:51 +00:00
postPatch = lib . optionalString stdenv . hostPlatform . isDarwin ''
2020-08-20 17:08:02 +00:00
substituteInPlace nss/coreconf/Darwin.mk - - replace ' @ executable_path / $ ( notdir $ @ ) ' " $ o u t / l i b / \$ ( n o t d i r \$ @ ) "
substituteInPlace nss/coreconf/config.gypi - - replace " ' D Y L I B _ I N S T A L L _ N A M E _ B A S E ' : ' @ e x e c u t a b l e _ p a t h ' " " ' D Y L I B _ I N S T A L L _ N A M E _ B A S E ' : ' $ o u t / l i b ' "
'' ;
2020-04-24 23:36:52 +00:00
outputs = [ " o u t " " d e v " " t o o l s " ] ;
preConfigure = " c d n s s " ;
2020-08-20 17:08:02 +00:00
buildPhase = let
getArch = platform : if platform . isx86_64 then " x 6 4 "
else if platform . isx86_32 then " i a 3 2 "
else if platform . isAarch32 then " a r m "
else if platform . isAarch64 then " a r m 6 4 "
2020-11-15 13:44:38 +00:00
else if platform . isPower && platform . is64bit then (
if platform . isLittleEndian then " p p c 6 4 l e " else " p p c 6 4 "
)
2020-08-20 17:08:02 +00:00
else platform . parsed . cpu . name ;
# yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on
target = getArch stdenv . hostPlatform ;
host = getArch stdenv . buildPlatform ;
in ''
runHook preBuild
sed - i ' s | nss_dist_dir = " $ d i s t _ d i r " | nss_dist_dir = " ' $ o u t ' " | ; s | nss_dist_obj_dir = " $ o b j _ d i r " | nss_dist_obj_dir = " ' $ o u t ' " | ' build . sh
./build.sh - v - - opt \
- - with-nspr = $ { nspr . dev } /include : $ { nspr . out } /lib \
- - system-sqlite \
- - enable-legacy-db \
- - target $ { target } \
- Dhost_arch = $ { host } \
- Duse_system_zlib = 1 \
- - enable-libpkix \
2021-02-05 17:12:51 +00:00
$ { lib . optionalString enableFIPS " - - e n a b l e - f i p s " } \
$ { lib . optionalString stdenv . isDarwin " - - c l a n g " } \
$ { lib . optionalString ( stdenv . hostPlatform != stdenv . buildPlatform ) " - - d i s a b l e - t e s t s " }
2020-08-20 17:08:02 +00:00
runHook postBuild
'' ;
NIX_CFLAGS_COMPILE = " - W n o - e r r o r - D N I X _ N S S _ L I B D I R = \" ${ placeholder " o u t " } / l i b / \" " ;
installPhase = ''
runHook preInstall
2020-04-24 23:36:52 +00:00
rm - rf $ out/private
2020-08-20 17:08:02 +00:00
find $ out - name " * . T O C " - delete
2020-04-24 23:36:52 +00:00
mv $ out/public $ out/include
ln - s lib $ out/lib64
# Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
# https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a
NSS_MAJOR_VERSION = ` grep " N S S _ V M A J O R " lib/nss/nss.h | awk ' { print $ 3 } ' `
NSS_MINOR_VERSION = ` grep " N S S _ V M I N O R " lib/nss/nss.h | awk ' { print $ 3 } ' `
NSS_PATCH_VERSION = ` grep " N S S _ V P A T C H " lib/nss/nss.h | awk ' { print $ 3 } ' `
PREFIX = " $ o u t "
mkdir - p $ out/lib/pkgconfig
sed - e " s , % p r e f i x % , $ P R E F I X , " \
- e " s , % e x e c _ p r e f i x % , $ P R E F I X , " \
- e " s , % l i b d i r % , $ P R E F I X / l i b 6 4 , " \
- e " s , % i n c l u d e d i r % , $ d e v / i n c l u d e / n s s , " \
- e " s , % N S S _ V E R S I O N % , $ N S S _ M A J O R _ V E R S I O N . $ N S S _ M I N O R _ V E R S I O N . $ N S S _ P A T C H _ V E R S I O N , g " \
- e " s , % N S P R _ V E R S I O N % , 4 . 1 6 , g " \
pkg/pkg-config/nss.pc.in > $ out/lib/pkgconfig/nss.pc
chmod 0644 $ out/lib/pkgconfig/nss.pc
sed - e " s , @ p r e f i x @ , $ P R E F I X , " \
- e " s , @ M O D _ M A J O R _ V E R S I O N @ , $ N S S _ M A J O R _ V E R S I O N , " \
- e " s , @ M O D _ M I N O R _ V E R S I O N @ , $ N S S _ M I N O R _ V E R S I O N , " \
- e " s , @ M O D _ P A T C H _ V E R S I O N @ , $ N S S _ P A T C H _ V E R S I O N , " \
pkg/pkg-config/nss-config.in > $ out/bin/nss-config
chmod 0755 $ out/bin/nss-config
'' ;
2021-02-19 19:06:45 +00:00
postInstall = lib . optionalString useP11kit ''
# Replace built-in trust with p11-kit connection
ln - sf $ { p11-kit } /lib/pkcs11/p11-kit-trust.so $ out/lib/libnssckbi.so
'' ;
2020-04-24 23:36:52 +00:00
postFixup = let
isCross = stdenv . hostPlatform != stdenv . buildPlatform ;
nss = if isCross then buildPackages . nss . tools else " $ o u t " ;
2020-11-12 09:05:59 +00:00
in
2021-02-05 17:12:51 +00:00
( lib . optionalString enableFIPS ( ''
2020-04-24 23:36:52 +00:00
for libname in freebl3 nssdbm3 softokn3
do '' +
( if stdenv . isDarwin
then ''
libfile = " $ o u t / l i b / l i b $ l i b n a m e . d y l i b "
DYLD_LIBRARY_PATH = $ out/lib : $ { nspr . out } /lib \
'' e l s e ''
libfile = " $ o u t / l i b / l i b $ l i b n a m e . s o "
LD_LIBRARY_PATH = $ out/lib : $ { nspr . out } /lib \
'' ) + ''
$ { nss } /bin/shlibsign - v - i " $ l i b f i l e "
done
2020-11-12 09:05:59 +00:00
'' ) ) +
''
2020-04-24 23:36:52 +00:00
moveToOutput bin " $ t o o l s "
moveToOutput bin/nss-config " $ d e v "
moveToOutput lib/libcrmf.a " $ d e v " # needed by firefox, for example
rm - f " $ o u t " /lib /* . a
2020-08-20 17:08:02 +00:00
runHook postInstall
2020-04-24 23:36:52 +00:00
'' ;
2021-02-05 17:12:51 +00:00
meta = with lib ; {
2020-04-24 23:36:52 +00:00
homepage = " h t t p s : / / d e v e l o p e r . m o z i l l a . o r g / e n - U S / d o c s / N S S " ;
description = " A s e t o f l i b r a r i e s f o r d e v e l o p m e n t o f s e c u r i t y - e n a b l e d c l i e n t a n d s e r v e r a p p l i c a t i o n s " ;
license = licenses . mpl20 ;
platforms = platforms . all ;
} ;
}