2021-08-10 11:01:51 +00:00
{ lib
, stdenv
, fetchurl
, nspr
, perl
, zlib
, sqlite
, ninja
, darwin
, fixDarwinDylibNames
, buildPackages
, useP11kit ? true
, p11-kit
2020-10-31 20:17:26 +00:00
, # allow FIPS mode. Note that this makes the output non-reproducible.
# https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
enableFIPS ? false
} :
2005-08-24 09:54:42 +00:00
2009-07-06 11:42:21 +00:00
let
2013-08-07 14:17:58 +00:00
nssPEM = fetchurl {
2020-04-01 01:11:51 +00:00
url = " h t t p : / / d e v . g e n t o o . o r g / ~ p o l y n o m i a l - c / m o z i l l a / n s s - 3 . 1 5 . 4 - p e m - s u p p o r t - 2 0 1 4 0 1 0 9 . p a t c h . x z " ;
2014-02-06 20:15:43 +00:00
sha256 = " 1 0 i b z 6 y 0 h k n a c 1 5 z r 6 d w 4 g v 9 n b 5 r 5 z 9 y m 6 g q 1 8 j 3 x q x 7 v 7 n 3 v p d w " ;
2012-08-21 04:10:33 +00:00
} ;
2020-11-18 14:51:51 +00:00
# NOTE: Whenever you updated this version check if the `cacert` package also
# needs an update. You can run the regular updater script for cacerts.
# It will rebuild itself using the version of this package (NSS) and if
# an update is required do the required changes to the expression.
# Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
2021-12-02 00:24:35 +00:00
version = " 3 . 7 3 " ;
2012-08-21 04:10:33 +00:00
2021-08-10 11:01:51 +00:00
in
stdenv . mkDerivation rec {
2019-08-15 12:41:18 +00:00
pname = " n s s " ;
2018-12-02 04:25:55 +00:00
inherit version ;
2012-10-31 13:04:58 +00:00
src = fetchurl {
2021-08-10 11:01:51 +00:00
url = " m i r r o r : / / m o z i l l a / s e c u r i t y / n s s / r e l e a s e s / N S S _ ${ lib . replaceStrings [ " . " ] [ " _ " ] version } _ R T M / s r c / ${ pname } - ${ version } . t a r . g z " ;
2021-12-02 00:24:35 +00:00
sha256 = " 1 r f q j q 0 2 r f v 0 y c d m v i c 5 1 p i 0 9 3 r g 3 3 z b 8 k p q k v d d f 4 4 v v 9 l 3 l v a n " ;
2005-08-24 09:54:42 +00:00
} ;
2019-03-20 20:05:45 +00:00
depsBuildBuild = [ buildPackages . stdenv . cc ] ;
2020-07-20 15:02:44 +00:00
nativeBuildInputs = [ perl ninja ( buildPackages . python3 . withPackages ( ps : with ps ; [ gyp ] ) ) ]
2021-01-21 17:00:13 +00:00
++ lib . optionals stdenv . hostPlatform . isDarwin [ darwin . cctools fixDarwinDylibNames ] ;
2019-03-20 20:05:45 +00:00
2020-10-26 07:17:14 +00:00
buildInputs = [ zlib sqlite ] ;
2017-03-22 18:47:51 +00:00
propagatedBuildInputs = [ nspr ] ;
2009-07-06 09:12:44 +00:00
2013-08-07 14:17:58 +00:00
prePatch = ''
2020-05-03 23:39:35 +00:00
# strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_
xz - d < $ { nssPEM } | sed \
2020-06-29 01:09:27 +00:00
- e ' s/-DIRS = builtins $ /-DIRS = . builtins /g ' \
2020-05-03 23:39:35 +00:00
- e ' s/CKO_NETSCAPE_/CKO_NSS_/g ' \
- e ' s/CKT_NETSCAPE_/CKT_NSS_/g ' \
| patch - p1
2020-06-29 01:09:27 +00:00
patchShebangs nss
for f in nss/coreconf/config.gypi nss/build.sh nss/coreconf/config.gypi ; do
substituteInPlace " $ f " - - replace " / u s r / b i n / e n v " " ${ buildPackages . coreutils } / b i n / e n v "
done
substituteInPlace nss/coreconf/config.gypi - - replace " / u s r / b i n / g r e p " " ${ buildPackages . coreutils } / b i n / e n v g r e p "
2012-08-21 04:10:33 +00:00
'' ;
2021-08-10 11:01:51 +00:00
patches = [
# Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
./85_security_load.patch
./ckpem.patch
./fix-cross-compilation.patch
] ;
2011-01-03 17:02:58 +00:00
2019-10-26 15:39:27 +00:00
patchFlags = [ " - p 0 " ] ;
2017-01-24 13:49:14 +00:00
2021-01-21 17:00:13 +00:00
postPatch = lib . optionalString stdenv . hostPlatform . isDarwin ''
2021-08-10 11:01:51 +00:00
substituteInPlace nss/coreconf/Darwin.mk - - replace ' @ executable_path / $ ( notdir $ @ ) ' " $ o u t / l i b / \$ ( n o t d i r \$ @ ) "
substituteInPlace nss/coreconf/config.gypi - - replace " ' D Y L I B _ I N S T A L L _ N A M E _ B A S E ' : ' @ e x e c u t a b l e _ p a t h ' " " ' D Y L I B _ I N S T A L L _ N A M E _ B A S E ' : ' $ o u t / l i b ' "
'' ;
2020-08-03 02:02:14 +00:00
2016-08-29 00:30:01 +00:00
outputs = [ " o u t " " d e v " " t o o l s " ] ;
2015-10-05 15:45:54 +00:00
2013-08-07 14:17:58 +00:00
preConfigure = " c d n s s " ;
2009-07-06 09:12:44 +00:00
2021-08-10 11:01:51 +00:00
buildPhase =
let
getArch = platform :
if platform . isx86_64 then " x 6 4 "
else if platform . isx86_32 then " i a 3 2 "
else if platform . isAarch32 then " a r m "
else if platform . isAarch64 then " a r m 6 4 "
else if platform . isPower && platform . is64bit then
(
2020-11-02 04:29:29 +00:00
if platform . isLittleEndian then " p p c 6 4 l e " else " p p c 6 4 "
)
2021-08-10 11:01:51 +00:00
else platform . parsed . cpu . name ;
# yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on
target = getArch stdenv . hostPlatform ;
host = getArch stdenv . buildPlatform ;
in
''
runHook preBuild
sed - i ' s | nss_dist_dir = " $ d i s t _ d i r " | nss_dist_dir = " ' $ o u t ' " | ; s | nss_dist_obj_dir = " $ o b j _ d i r " | nss_dist_obj_dir = " ' $ o u t ' " | ' build . sh
./build.sh - v - - opt \
- - with-nspr = $ { nspr . dev } /include : $ { nspr . out } /lib \
- - system-sqlite \
- - enable-legacy-db \
- - target $ { target } \
- Dhost_arch = $ { host } \
- Duse_system_zlib = 1 \
- - enable-libpkix \
$ { lib . optionalString enableFIPS " - - e n a b l e - f i p s " } \
$ { lib . optionalString stdenv . isDarwin " - - c l a n g " } \
$ { lib . optionalString ( stdenv . hostPlatform != stdenv . buildPlatform ) " - - d i s a b l e - t e s t s " }
runHook postBuild
'' ;
2020-06-29 01:09:27 +00:00
2021-06-01 16:27:32 +00:00
NIX_CFLAGS_COMPILE = " - W n o - e r r o r - D N I X _ N S S _ L I B D I R = \" ${ placeholder " o u t " } / l i b / \" " + lib . optionalString stdenv . hostPlatform . is64bit " - D N S S _ U S E _ 6 4 = 1 " ;
2020-06-29 01:09:27 +00:00
installPhase = ''
runHook preInstall
2012-08-22 02:22:43 +00:00
rm - rf $ out/private
2020-06-29 01:09:27 +00:00
find $ out - name " * . T O C " - delete
2012-08-22 02:22:43 +00:00
mv $ out/public $ out/include
2012-03-06 20:57:39 +00:00
2013-08-07 14:17:58 +00:00
ln - s lib $ out/lib64
2017-09-28 23:52:45 +00:00
# Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
# https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a
NSS_MAJOR_VERSION = ` grep " N S S _ V M A J O R " lib/nss/nss.h | awk ' { print $ 3 } ' `
NSS_MINOR_VERSION = ` grep " N S S _ V M I N O R " lib/nss/nss.h | awk ' { print $ 3 } ' `
NSS_PATCH_VERSION = ` grep " N S S _ V P A T C H " lib/nss/nss.h | awk ' { print $ 3 } ' `
PREFIX = " $ o u t "
mkdir - p $ out/lib/pkgconfig
sed - e " s , % p r e f i x % , $ P R E F I X , " \
- e " s , % e x e c _ p r e f i x % , $ P R E F I X , " \
- e " s , % l i b d i r % , $ P R E F I X / l i b 6 4 , " \
2017-10-09 18:49:11 +00:00
- e " s , % i n c l u d e d i r % , $ d e v / i n c l u d e / n s s , " \
2017-09-28 23:52:45 +00:00
- e " s , % N S S _ V E R S I O N % , $ N S S _ M A J O R _ V E R S I O N . $ N S S _ M I N O R _ V E R S I O N . $ N S S _ P A T C H _ V E R S I O N , g " \
- e " s , % N S P R _ V E R S I O N % , 4 . 1 6 , g " \
pkg/pkg-config/nss.pc.in > $ out/lib/pkgconfig/nss.pc
chmod 0644 $ out/lib/pkgconfig/nss.pc
sed - e " s , @ p r e f i x @ , $ P R E F I X , " \
- e " s , @ M O D _ M A J O R _ V E R S I O N @ , $ N S S _ M A J O R _ V E R S I O N , " \
- e " s , @ M O D _ M I N O R _ V E R S I O N @ , $ N S S _ M I N O R _ V E R S I O N , " \
- e " s , @ M O D _ P A T C H _ V E R S I O N @ , $ N S S _ P A T C H _ V E R S I O N , " \
pkg/pkg-config/nss-config.in > $ out/bin/nss-config
chmod 0755 $ out/bin/nss-config
2012-08-22 02:22:43 +00:00
'' ;
2020-08-31 09:07:34 +00:00
2021-01-31 15:07:26 +00:00
postInstall = lib . optionalString useP11kit ''
2020-08-31 09:07:34 +00:00
# Replace built-in trust with p11-kit connection
ln - sf $ { p11-kit } /lib/pkcs11/p11-kit-trust.so $ out/lib/libnssckbi.so
'' ;
2012-08-21 19:35:46 +00:00
2021-08-10 11:01:51 +00:00
postFixup =
let
isCross = stdenv . hostPlatform != stdenv . buildPlatform ;
nss = if isCross then buildPackages . nss . tools else " $ o u t " ;
in
( lib . optionalString enableFIPS ( ''
for libname in freebl3 nssdbm3 softokn3
2021-10-13 16:38:22 +00:00
do libfile = " $ o u t / l i b / l i b $ l i b n a m e ${ stdenv . hostPlatform . extensions . sharedLibrary } " '' +
2018-01-03 21:39:37 +00:00
( if stdenv . isDarwin
2021-08-10 11:01:51 +00:00
then ''
DYLD_LIBRARY_PATH = $ out/lib : $ { nspr . out } /lib \
'' e l s e ''
LD_LIBRARY_PATH = $ out/lib : $ { nspr . out } /lib \
'' ) + ''
$ { nss } /bin/shlibsign - v - i " $ l i b f i l e "
done
'' ) ) +
''
moveToOutput bin " $ t o o l s "
moveToOutput bin/nss-config " $ d e v "
moveToOutput lib/libcrmf.a " $ d e v " # needed by firefox, for example
rm - f " $ o u t " /lib /* . a
runHook postInstall
'' ;
2013-08-07 14:17:58 +00:00
2021-09-07 20:48:33 +00:00
passthru . updateScript = ./update.sh ;
2021-01-21 17:00:13 +00:00
meta = with lib ; {
2021-08-10 11:01:51 +00:00
homepage = " h t t p s : / / d e v e l o p e r . m o z i l l a . o r g / e n - U S / d o c s / M o z i l l a / P r o j e c t s / N S S " ;
2013-08-07 14:17:58 +00:00
description = " A s e t o f l i b r a r i e s f o r d e v e l o p m e n t o f s e c u r i t y - e n a b l e d c l i e n t a n d s e r v e r a p p l i c a t i o n s " ;
2021-08-10 11:01:51 +00:00
maintainers = with maintainers ; [ ] ;
2018-08-17 21:55:36 +00:00
license = licenses . mpl20 ;
platforms = platforms . all ;
2013-08-07 14:17:58 +00:00
} ;
2005-08-24 09:54:42 +00:00
}